Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5006_2.6.2.exe

Overview

General Information

Sample name:5006_2.6.2.exe
Analysis ID:1412313
MD5:8541da559ecb090cd768bc6f3173ffc4
SHA1:35c33bb61dcc017903a07ba70d69885c67fee39a
SHA256:fbe8bba07f8b3c2307339d5aff885e46f8a14a251af04fc0455943c72b8c3ef6
Infos:

Detection

Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Deletes itself after installation
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks winsocket function (used for sniffing or altering network traffic)
Install WinpCap (used to filter network traffic)
Installs a global event hook (focus changed)
Installs a global get message hook
Installs new ROOT certificates
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites Mozilla Firefox settings
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Use Short Name Path in Command Line
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5006_2.6.2.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\5006_2.6.2.exe" MD5: 8541DA559ECB090CD768BC6F3173FFC4)
    • antivirus_detector.exe (PID: 3808 cmdline: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning|| MD5: 7BCC1F1DEB45BF58C7C559DFE3240E08)
      • main_installer.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1 MD5: 2F61BD2AC7DC2252AD5743093CEB09DC)
        • post_install.exe (PID: 3304 cmdline: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0 MD5: 52A76696B447635922D8EC87D0DA7FEE)
  • svcAppUpdate.exe (PID: 4332 cmdline: "C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe" MD5: E53E0020D7FE34B1E8F75AF444E64C72)
  • svcAppInit.exe (PID: 6556 cmdline: "C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe" MD5: 3135A7FEE1AD484104A1309104312D9E)
    • rundll32.exe (PID: 6056 cmdline: rundll32.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll",ProcessDll s=hidedialog MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3220 cmdline: C:\Windows\sysnative\rundll32.exe "C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll",ProcessDllStub MD5: EF3179D498793BF4234F708D3BE28633)
  • svcAppLookup.exe (PID: 2924 cmdline: "C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe" MD5: 794122A33A390FF07CA891B568110D10)
  • nt_system_service.exe (PID: 7060 cmdline: "C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe" MD5: 64F8F960D535AA6200E620C1DEF292FB)
    • certutil.exe (PID: 6224 cmdline: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile MD5: 3337B8D5AAB06D9072E3D4A72E0F9D26)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Windows Provisioning\svcAppInit.dllWindows_Ransomware_Hellokitty_d9391a1aunknownunknown
  • 0x58255b:$a1: 83 6D 08 01 75 DF 89 47 FC 8B 45 F8 5F 5E 5B 8B E5 5D C3 89
C:\Program Files (x86)\Windows Provisioning\svcAppInit.dllWindows_Ransomware_Hellokitty_d9391a1aunknownunknown
  • 0x58255b:$a1: 83 6D 08 01 75 DF 89 47 FC 8B 45 F8 5F 5E 5B 8B E5 5D C3 89

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.4464326614.000000006AAB1000.00000020.00000001.01000000.0000001B.sdmpWindows_Ransomware_Hellokitty_d9391a1aunknownunknown
  • 0x58215b:$a1: 83 6D 08 01 75 DF 89 47 FC 8B 45 F8 5F 5E 5B 8B E5 5D C3 89

Unpacked PEs

SourceRuleDescriptionAuthorStrings
10.2.rundll32.exe.6aab0000.4.unpackWindows_Ransomware_Hellokitty_d9391a1aunknownunknown
  • 0x58255b:$a1: 83 6D 08 01 75 DF 89 47 FC 8B 45 F8 5F 5E 5B 8B E5 5D C3 89

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, CommandLine: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, CommandLine|base64offset|contains: , Image: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, NewProcessName: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, OriginalFileName: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe", ParentImage: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe, ParentProcessId: 7060, ParentProcessName: nt_system_service.exe, ProcessCommandLine: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, ProcessId: 6224, ProcessName: certutil.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, CommandLine: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, CommandLine|base64offset|contains: , Image: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, NewProcessName: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, OriginalFileName: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe", ParentImage: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe, ParentProcessId: 7060, ParentProcessName: nt_system_service.exe, ProcessCommandLine: nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile, ProcessId: 6224, ProcessName: certutil.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: 5006_2.6.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeWindow detected: Software InstallationI agree to install this software only on computers that I own. I also agree to inform anyone who uses those computers that their computer usage may be monitored.Please read the following License Agreement. Press the PAGE DOWN key to see the rest of the agreement.Do you accept all the terms of the preceeding License Agreement? If you choose No Setup will close. To Install this software you must accept this agreement.SOFTWARE END USER LICENSE AGREEMENTPLEASE CAREFULLY READ THIS END USER LICENSE AGREEMENT (LICENSE) PRIOR TO USING THE SOFTWARE (SOFTWARE). BY USING THE SOFTWARE YOU AGREE TO ADHERE TO THE TERMS OF THIS LICENSE. IF YOU DO NOT ACCEPT THE TERMS OF THIS LICENSE DO NOT INSTALL OR USE THE SOFTWARE AND DELETE THE SOFTWARE AND ALL OF ITS RELATED FILES FROM YOUR DEVICE. THIS END USER LICENSE AGREEMENT (EULA) IS A LEGAL AGREEMENT BETWEEN YOU (THE USER) AND APPLICATION PROVIDER FOR USE OF THE SOFTWARE. BY DOWNLOADING INSTALLING OR OTHERWISE USING THE SOFTWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA YOU MAY NOT DOWNLOAD INSTALL OR USE THE SOFTWARE.BY ACCEPTING THIS AGREEMENT YOU AGREE TO INSTALL THIS SOFTWARE ONLY ON A DEVICE OR DEVICES OWNED BY TO USE IT ONLY IN CONNECTION WITH AN ACCOUNT APPLICATION OR PROGRAM YOU HAVE THE LEGAL RIGHT TO ACCESS. YOU ALSO AGREE TO INFORM ANY PERSON(S) WHO USE(S) A DEVICE WITH THE SOFTWARE INSTALLED AND ANY OTHER PERSON WITH THE RIGHT TO ACCESS A MONITORED ACCOUNT OF THE PRESENCE OF THE SOFTWARE. FAILURE TO COMPLY MAY RESULT IN YOU BREAKING STATE AND FEDERAL LAWS. YOU UNDERSTAND AND AGREE THAT YOU SHALL BE RESPONSIBLE FOR ANY LEGAL COSTS INCURRED BY APPLICATION PROVIDER RESULTING FROM YOUR IMPROPER OR ILLEGAL USE OF THE SOFTWARE. User agrees that the installation and use of the Software will be in accordance with all local state and federal laws governing the monitoring of device account application or program activity and usage. User acknowledges that it is prohibited and against the terms of this Agreement NOT to inform any third party that User is monitoring the device account application or program with the Software and that their usage is subject to monitoring and recording.The application software that is subject to this license is referred to in this license as the Licensed Software. The Licensed Software and any other products offered on this website are licensed not sold to You. Vendor (further referred to in this license as Application Provider) reserves all rights not expressly granted to You.a. Scope of License: Application Provider grants You a non-exclusive non-transferable End-User license right to install the Licensed Software on one computer that You own or control. Nothing in this license should be interpreted as permitting installation of the Licensed Software on any device You do not own or control or which You do not have the legal right to monitor or to monitor any account application or program You do not have the
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeFile created: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txtJump to behavior
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: 5006_2.6.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\tools\vcpkg\buildtrees\protobuf\x86-windows-v140-rel\libprotobuf-lite.pdb??! source: rundll32.exe, 0000000A.00000002.4464191235.000000006A9CD000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\post_install.pdbWW source: post_install.exe, 00000004.00000000.2119366297.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, post_install.exe, 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\antivirus_detector.pdbOO source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libssl.pdb source: svcAppLookup.exe, 00000008.00000002.4462687887.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4466303204.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\uninstall.pdbXX source: uninstall.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppUpdate.pdbCC source: svcAppUpdate.exe, 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp, svcAppUpdate.exe, 00000005.00000000.2149789521.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\windows_hook_64.pdb source: rundll32.exe, 0000000B.00000002.4459240973.00007FF8A9325000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\uninstall.pdb source: uninstall.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\post_install.pdb source: post_install.exe, 00000004.00000000.2119366297.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, post_install.exe, 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppInit.pdb source: svcAppInit.exe, 00000007.00000000.2189559977.0000000000818000.00000002.00000001.01000000.0000000D.sdmp, svcAppInit.exe, 00000007.00000002.4458028771.0000000000818000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\nt_system_service.pdbuu+4GCTL source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x86\Packet.pdb source: rundll32.exe, 0000000A.00000002.4459330719.000000000434F000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppUpdate.pdb source: svcAppUpdate.exe, 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp, svcAppUpdate.exe, 00000005.00000000.2149789521.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\nt_system_service.pdb source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libcrypto.pdb source: svcAppLookup.exe, 00000008.00000002.4461735294.000000006BC6F000.00000002.00000001.01000000.00000018.sdmp, rundll32.exe, 0000000A.00000002.4465825694.000000006BC6F000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppInit.pdbNN source: svcAppInit.exe, 00000007.00000000.2189559977.0000000000818000.00000002.00000001.01000000.0000000D.sdmp, svcAppInit.exe, 00000007.00000002.4458028771.0000000000818000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\tools\vcpkg\buildtrees\protobuf\x86-windows-v140-rel\libprotobuf-lite.pdb source: rundll32.exe, 0000000A.00000002.4464191235.000000006A9CD000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\windows_hook.pdb source: antivirus_detector.exe, 00000002.00000002.4460746995.000000006A5EB000.00000002.00000001.01000000.0000002A.sdmp, svcAppLookup.exe, 00000008.00000003.2191222252.000000000123E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4463926030.000000006A5EB000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\protocolfilters\build\release_static_ssl\win32\protocolfilters.pdb source: nt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppLookup.pdbnn92GCTL source: svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppLookup.pdb source: svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe0.3.dr
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\packetntx\driver\bin\amd64\npf.pdb source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppLookup.pdb source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libssl.pdb== source: svcAppLookup.exe, 00000008.00000002.4462687887.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4466303204.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb source: rundll32.exe, 0000000A.00000002.4463801692.0000000010029000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: e:\PTHREADS\pthreads\pthreadVC.pdb source: pthreadVC.dll.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppInit.pdb source: rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppInit.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\antivirus_detector.pdb source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppLookup.pdbn source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009FD380 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetLastError,2_2_009FD380
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_00406313 FindFirstFileA,FindClose,3_2_00406313
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_004057D8
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_00402765 FindFirstFileA,3_2_00402765
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005C6A90 GetLastError,WTSQueryUserToken,SHGetFolderPathW,CloseHandle,GetLastError,SHGetSpecialFolderPathW,FindFirstFileW,_stat64i32,FindNextFileW,GetLastError,FindClose,GetLastError,4_2_005C6A90
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005BAA30 GetFileAttributesA,FindFirstFileA,FindNextFileA,remove,FindNextFileA,FindClose,GetLastError,4_2_005BAA30
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005BA790 Sleep,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetLastError,4_2_005BA790
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C687A00 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,9_2_6C687A00
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C655780 _memset,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,9_2_6C655780
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C655ED0 _memset,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,FindClose,EnterCriticalSection,LeaveCriticalSection,9_2_6C655ED0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 119.8.47.97 443
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: nBGeczvijzupKaYAUSH4RA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VZePNLUYezwqL5AtQJhrXg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: K06wdEYcvgB+fcNv0a6mOQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: d3uAPPyZNgZMaYsxjzOdHQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 46xSSJDLTXcqnjdLJO/7FQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RVKJB9qTozfjyIZpU2jteA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: gU9dZVRrU0S384gBzBZzJQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: D7WQUDGO1FMmNFlXiHEsfw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: EGL7SsaWqH3VO95A5yYQDw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: oY4aLcRoOTHFmKQvdTb6Ew==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: axusKlgQIQCd1L1tHavMSg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: zRffd4tou1bFsuBcvjgGSg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: GpQWHSA2bQg5Tth8GFqfeA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: KviYWWfoRxp63PoxyhdeWg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: tQ9ERyidHSiMxwJwv5aubA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: xDA8Tf3dtThMnYE/Wy9yRg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +nx2ZhhyzmmBVlYjWtO3Dg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 2VQ5IS4IEXxEq1ILCPHLdA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: AKX0GlLjTUnejKRQwtQCPw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: FW8RC3SavSmzTKt7Ct3dJA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: bA8rED+SgjX6Uolww2uuDQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: M/0dZgAmK2bbc4EhfjMHEA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: qzPdUq9BpTNFaSdmFqlGJA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 45j3WK3v00YIQtxIR4wVAQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3N+OWOC7QVBYyZxJTa95dg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: w+coMVxmqTHBeYxLkCWxaA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: uG8rQ8WHDRKy1uJwIegFIg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: YClmIY75KzN1bTQcf+bcJg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +yf5IUkAU3MZ9EhxqRkdSQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mkyZFH/MkXu0wmR8kAh4EA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: SSvbBKsfTCgKzR0PoKC+NQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: m01UNCzrLHDF9bAo7l38Kw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: beJlBoaEBnWpfthTDuBmNw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: DZcBL4vzvTm+DZE9+xTdTQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: x7G4OczQ+yNPPNYJ6kOCXA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 9IS/FLMNKB63WpA5rAhtNw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: dKkrZez1mjrnXJluXooFCA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: EVQFTYM/XUMj8y127qJCRw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: BYg5cUonXixA8AxSrtjCJQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: WHSlChQsUEDWLbIK9lZ6cA==
Source: Joe Sandbox ViewASN Name: HWCLOUDS-AS-APHUAWEICLOUDSHK HWCLOUDS-AS-APHUAWEICLOUDSHK
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F8180 InternetOpenW,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,HttpAddRequestHeadersA,HttpSendRequestW,memset,HttpQueryInfoW,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,fopen_s,InternetReadFile,fwrite,fclose,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_2_008F8180
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: nBGeczvijzupKaYAUSH4RA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: VZePNLUYezwqL5AtQJhrXg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: K06wdEYcvgB+fcNv0a6mOQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: d3uAPPyZNgZMaYsxjzOdHQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 46xSSJDLTXcqnjdLJO/7FQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: RVKJB9qTozfjyIZpU2jteA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: gU9dZVRrU0S384gBzBZzJQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: D7WQUDGO1FMmNFlXiHEsfw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: EGL7SsaWqH3VO95A5yYQDw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: oY4aLcRoOTHFmKQvdTb6Ew==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: axusKlgQIQCd1L1tHavMSg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: zRffd4tou1bFsuBcvjgGSg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: GpQWHSA2bQg5Tth8GFqfeA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: KviYWWfoRxp63PoxyhdeWg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: tQ9ERyidHSiMxwJwv5aubA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: xDA8Tf3dtThMnYE/Wy9yRg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +nx2ZhhyzmmBVlYjWtO3Dg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 2VQ5IS4IEXxEq1ILCPHLdA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: AKX0GlLjTUnejKRQwtQCPw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: FW8RC3SavSmzTKt7Ct3dJA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: bA8rED+SgjX6Uolww2uuDQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: M/0dZgAmK2bbc4EhfjMHEA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: qzPdUq9BpTNFaSdmFqlGJA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 45j3WK3v00YIQtxIR4wVAQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 3N+OWOC7QVBYyZxJTa95dg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: w+coMVxmqTHBeYxLkCWxaA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: uG8rQ8WHDRKy1uJwIegFIg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: YClmIY75KzN1bTQcf+bcJg==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: +yf5IUkAU3MZ9EhxqRkdSQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: mkyZFH/MkXu0wmR8kAh4EA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: SSvbBKsfTCgKzR0PoKC+NQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: m01UNCzrLHDF9bAo7l38Kw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: beJlBoaEBnWpfthTDuBmNw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: DZcBL4vzvTm+DZE9+xTdTQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: x7G4OczQ+yNPPNYJ6kOCXA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 9IS/FLMNKB63WpA5rAhtNw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: dKkrZez1mjrnXJluXooFCA==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: EVQFTYM/XUMj8y127qJCRw==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: BYg5cUonXixA8AxSrtjCJQ==
Source: global trafficHTTP traffic detected: GET /?encoding=utf8 HTTP/1.1Host: push.mobilefonex.comOrigin: https://push.mobilefonex.comdeviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdogConnection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: WHSlChQsUEDWLbIK9lZ6cA==
Source: unknownDNS traffic detected: queries for: push.mobilefonex.com
Source: nt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://.css
Source: nt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://.jpg
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: rundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://client.mobilefonex.com/gateway
Source: rundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://client.mobilefonex.com/gateway/unstructured
Source: rundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://client.mobilefonex.com/gateway/unstructureda
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://client.mobilefonex.com/gateway/unstructuredy
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://client.mobilefonex.com/gatewayV
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: nt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://html4/loose.dtd
Source: svcAppInit.dll0.3.drString found in binary or memory: http://maps.google.com/?q=
Source: main_installer.exe, main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmp, main_installer.exe, 00000003.00000000.2085500259.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 5006_2.6.2.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 5006_2.6.2.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://www.appinf.com/features/enable-partial-reads
Source: svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://www.appinf.com/features/enable-partial-readsCannot
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.appinf.com/features/enable-partial-readsent-contentJ
Source: PocoXML.dll0.3.drString found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-content
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-contentS
Source: certutil.exe, 0000000C.00000002.2206821485.000000006A819000.00000002.00000001.01000000.00000024.sdmp, libnspr4.dll.3.drString found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 0000000C.00000002.2206489227.000000006A7CB000.00000002.00000001.01000000.00000026.sdmp, libnspr4.dll.3.drString found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: svcAppLookup.exe, 00000008.00000002.4462048125.000000006BCB7000.00000002.00000001.01000000.00000018.sdmp, svcAppLookup.exe, 00000008.00000002.4462749493.000000006BDBD000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4465966699.000000006BCB7000.00000002.00000001.01000000.00000018.sdmp, rundll32.exe, 0000000A.00000002.4466342443.000000006BDBD000.00000002.00000001.01000000.00000015.sdmp, libeay32.dll0.3.drString found in binary or memory: http://www.openssl.org/V
Source: libeay32.dll0.3.dr, libeay32.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: libeay32.dll0.3.dr, libeay32.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprng
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitiesn
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes3
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixesx
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/namespaces
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces&
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/string-interning
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/string-interningG
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/features/validation
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/validationX
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drString found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handlerQ
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.nXnm
Source: post_install.exe, post_install.exe, 00000004.00000002.2192666922.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxV
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxVE
Source: antivirus_detector.exe, 00000002.00000002.4459215588.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxe.dll
Source: antivirus_detector.exe, 00000002.00000002.4459215588.000000000123E000.00000004.00000020.00020000.00000000.sdmp, post_install.exe, 00000004.00000002.2192666922.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxll.dll
Source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, post_install.exe, 00000004.00000000.2119366297.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, post_install.exe, 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, uninstall.exe0.3.dr, svcAppInit.dll0.3.drString found in binary or memory: https://clients2.google.com/service/update2/crxmbiemjlmncjcojkndbdmpjnaafjobifl;https://clients2.goo
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: rundll32.exe, 0000000A.00000002.4464252813.000000006AA02000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.drString found in binary or memory: https://developers.google.com/protocol-buffers/
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIX
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs
Source: antivirus_detector.exeString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/common-anti-virus-program-instructions-for-adding
Source: antivirus_detector.exeString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.html
Source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.htmlhttps://port
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4459759875.0000000004845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://push.mobilefonex.com
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://push.mobilefonex.comc
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&re
Source: rundll32.exe, 0000000A.00000002.4465825694.000000006BC6F000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.47.97:443 -> 192.168.2.5:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global event hook (focus changed)
Source: C:\Windows\SysWOW64\rundll32.exeWindows user hook set: Path: unknown Event Start:focus Event End: focus Module: NULL
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00405275 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405275

E-Banking Fraud

barindex
Hooks winsocket function (used for sniffing or altering network traffic)
Source: explorer.exeFile created: function: sendto
Install WinpCap (used to filter network traffic)
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\Packet.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile created: C:\Program Files (x86)\Windows Provisioning\app_data\de_netfilter\SSL\DigiCert SHA2 Extended Validation Server CA 3.cerJump to dropped file

Spam, unwanted Advertisements and Ransom Demands

barindex
Install WinpCap (used to filter network traffic)
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\Packet.dllJump to behavior

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.rundll32.exe.6aab0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Hellokitty_d9391a1a Author: unknown
Source: 0000000A.00000002.4464326614.000000006AAB1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Hellokitty_d9391a1a Author: unknown
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, type: DROPPEDMatched rule: Windows_Ransomware_Hellokitty_d9391a1a Author: unknown
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, type: DROPPEDMatched rule: Windows_Ransomware_Hellokitty_d9391a1a Author: unknown
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeMemory allocated: 76960000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76960000 page execute and read and write
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CA980 memset,NtWow64QueryInformationProcess64,NtWow64QueryInformationProcess64,4_2_005CA980
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CAA20 memset,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,4_2_005CAA20
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CAAA0 NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,4_2_005CAAA0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CBBF0 memset,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,4_2_005CBBF0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CBC70 memset,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,4_2_005CBC70
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009831F0: DeviceIoControl,9_2_009831F0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005C2100 Sleep,OpenSCManagerW,OpenServiceA,ChangeServiceConfig2W,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,4_2_005C2100
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009FBB30 memset,CreateEnvironmentBlock,CreateProcessAsUserW,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,2_2_009FBB30
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_0040326B
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\npf.sysJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\system32\drivers\npf.sysJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Windows\SysWOW64\msvcr110.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoCrypto.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoFoundation.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoJSON.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNetSSL.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoUtil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoXML.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libeay32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\ssleay32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libcrypto.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libssl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\Packet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\wpcap.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\pthreadVC.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\system32\Packet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\system32\wpcap.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\system32\drivers\npf.sysJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00406FC40_2_00406FC4
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_004067ED0_2_004067ED
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009F2E602_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009F9B902_2_009F9B90
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_00406FC43_2_00406FC4
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_004067ED3_2_004067ED
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005B26B04_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CC8704_2_005CC870
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005B26B04_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00812B307_2_00812B30
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006B64508_2_006B6450
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006A2BE08_2_006A2BE0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AAF608_2_006AAF60
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006DC0708_2_006DC070
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006A30308_2_006A3030
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006B20E08_2_006B20E0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006EE0A08_2_006EE0A0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006E20A08_2_006E20A0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AE2208_2_006AE220
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006B42208_2_006B4220
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AC2108_2_006AC210
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006982F08_2_006982F0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006A92A08_2_006A92A0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006DB3508_2_006DB350
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006E83508_2_006E8350
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006A74608_2_006A7460
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F74308_2_006F7430
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006C14008_2_006C1400
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006EE4F08_2_006EE4F0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AC5508_2_006AC550
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006ED5008_2_006ED500
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006BC58D8_2_006BC58D
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006976008_2_00697600
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_0069A7108_2_0069A710
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006EF7F08_2_006EF7F0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AF8108_2_006AF810
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006C48108_2_006C4810
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AC8C08_2_006AC8C0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006B19208_2_006B1920
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006D89208_2_006D8920
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006EA9208_2_006EA920
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006AE9908_2_006AE990
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F0B808_2_006F0B80
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006E4C208_2_006E4C20
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006E3CF08_2_006E3CF0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006B2CA08_2_006B2CA0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006D9CA08_2_006D9CA0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_0069BE208_2_0069BE20
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006D6F308_2_006D6F30
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_0069CFC08_2_0069CFC0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006D3FA08_2_006D3FA0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA171208_2_6BA17120
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA5F3C08_2_6BA5F3C0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009485709_2_00948570
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00912AA09_2_00912AA0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0091ACD09_2_0091ACD0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009494A09_2_009494A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009074509_2_00907450
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0090F7D09_2_0090F7D0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097DF809_2_0097DF80
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009140909_2_00914090
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008B80509_2_008B8050
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009540709_2_00954070
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009161A09_2_009161A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E41D09_2_008E41D0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008A61009_2_008A6100
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009601509_2_00960150
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008CC2B09_2_008CC2B0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F22409_2_008F2240
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008CC3C09_2_008CC3C0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008CC3409_2_008CC340
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008EE4E09_2_008EE4E0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0093E5209_2_0093E520
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008D85509_2_008D8550
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009006709_2_00900670
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009408F09_2_009408F0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009388209_2_00938820
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F09A09_2_008F09A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009469209_2_00946920
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009529209_2_00952920
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009169609_2_00916960
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00910A809_2_00910A80
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00918AA09_2_00918AA0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E8A609_2_008E8A60
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0094CBD09_2_0094CBD0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008FCB509_2_008FCB50
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008BCC609_2_008BCC60
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008D8DB09_2_008D8DB0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00910DC09_2_00910DC0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E2D109_2_008E2D10
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008EED509_2_008EED50
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00952D709_2_00952D70
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008FEF609_2_008FEF60
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009290909_2_00929090
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F10C09_2_008F10C0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0093D1A09_2_0093D1A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0094F1A09_2_0094F1A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009111309_2_00911130
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009132109_2_00913210
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E32109_2_008E3210
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009554009_2_00955400
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009175209_2_00917520
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E35409_2_008E3540
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F35409_2_008F3540
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008F16C09_2_008F16C0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008B76509_2_008B7650
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0093B7B09_2_0093B7B0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009078A09_2_009078A0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E98F09_2_008E98F0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009018109_2_00901810
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E38609_2_008E3860
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E3B809_2_008E3B80
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0093FBD09_2_0093FBD0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0090DB109_2_0090DB10
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00925C809_2_00925C80
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0090BCD09_2_0090BCD0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0095BCC09_2_0095BCC0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008B1CE09_2_008B1CE0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E7CE09_2_008E7CE0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00951D809_2_00951D80
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E3EA09_2_008E3EA0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008EFEF09_2_008EFEF0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008FBE609_2_008FBE60
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008E9FB09_2_008E9FB0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6D92C19_2_6C6D92C1
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C656C109_2_6C656C10
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C754CB09_2_6C754CB0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6A4DE09_2_6C6A4DE0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C690EF09_2_6C690EF0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C754AA09_2_6C754AA0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C7B67609_2_6C7B6760
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C7547409_2_6C754740
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C7560709_2_6C756070
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6720209_2_6C672020
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C7563409_2_6C756340
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C7403D09_2_6C7403D0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C657D209_2_6C657D20
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C73FEC09_2_6C73FEC0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C657F599_2_6C657F59
Source: C:\Windows\SysWOW64\rundll32.exeProcess token adjusted: Security
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: String function: 005B2590 appears 104 times
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: String function: 005B2620 appears 171 times
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: String function: 005B50B0 appears 59 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: String function: 00801AA0 appears 49 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: String function: 00801B30 appears 109 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: String function: 00805E30 appears 31 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 00682590 appears 119 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 0069B9B0 appears 45 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 0069C540 appears 162 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 6BA1A2B9 appears 42 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 006839E0 appears 65 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 0069BC00 appears 137 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 0069C640 appears 40 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 6BA02A30 appears 48 times
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: String function: 00682500 appears 41 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C651140 appears 37 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C6CD86D appears 55 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 00900450 appears 103 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 00900200 appears 44 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008A52B0 appears 72 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C6C7F55 appears 79 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 00900D90 appears 140 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008B9F10 appears 45 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008A5220 appears 61 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 00900E90 appears 40 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008EB730 appears 102 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C73EB30 appears 41 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C73E8A0 appears 180 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C7664B0 appears 301 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008A7240 appears 317 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008B6EA0 appears 103 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 008A8560 appears 431 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C6AD8DB appears 43 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 6C6CCCF0 appears 123 times
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: String function: 0097F478 appears 308 times
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: String function: 009F27D0 appears 40 times
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: String function: 009F5460 appears 39 times
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: String function: 009F2740 appears 31 times
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: String function: 009F6660 appears 65 times
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: poconetssl.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocofoundation.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocoutil.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: poconet.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocofoundation.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: poconet.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: libssl.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pococrypto.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocoutil.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocoxml.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: pocojson.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: msvcp140.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: protocolfilters.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: version.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: nssutil3.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: smime3.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: nss3.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplc4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplds4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplc4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplds4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: nss3.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplc4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplds4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplc4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libplds4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: libnspr4.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: winmm.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: sqlite3.dll
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeSection loaded: cryptbase.dll
Source: 5006_2.6.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 10.2.rundll32.exe.6aab0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Hellokitty_d9391a1a reference_sample = 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768, os = windows, severity = x86, creation_date = 2021-05-03, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Hellokitty, fingerprint = 4b9c96561163f925df6b2300c9e34c9572c1fe14ec3a55da4d4876ce467f6d6e, id = d9391a1a-78d3-4ae6-8e45-630ceec8bade, last_modified = 2021-08-23
Source: 0000000A.00000002.4464326614.000000006AAB1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Hellokitty_d9391a1a reference_sample = 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768, os = windows, severity = x86, creation_date = 2021-05-03, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Hellokitty, fingerprint = 4b9c96561163f925df6b2300c9e34c9572c1fe14ec3a55da4d4876ce467f6d6e, id = d9391a1a-78d3-4ae6-8e45-630ceec8bade, last_modified = 2021-08-23
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, type: DROPPEDMatched rule: Windows_Ransomware_Hellokitty_d9391a1a reference_sample = 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768, os = windows, severity = x86, creation_date = 2021-05-03, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Hellokitty, fingerprint = 4b9c96561163f925df6b2300c9e34c9572c1fe14ec3a55da4d4876ce467f6d6e, id = d9391a1a-78d3-4ae6-8e45-630ceec8bade, last_modified = 2021-08-23
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, type: DROPPEDMatched rule: Windows_Ransomware_Hellokitty_d9391a1a reference_sample = 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768, os = windows, severity = x86, creation_date = 2021-05-03, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Hellokitty, fingerprint = 4b9c96561163f925df6b2300c9e34c9572c1fe14ec3a55da4d4876ce467f6d6e, id = d9391a1a-78d3-4ae6-8e45-630ceec8bade, last_modified = 2021-08-23
Source: classification engineClassification label: mal54.phis.bank.adwa.spyw.evad.winEXE@17/121@1/1
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A056F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,2_2_00A056F0
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_0040326B
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CADA0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,4_2_005CADA0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00804890 memset,OpenProcess,GetLastError,_CxxThrowException,OpenProcessToken,GetLastError,_CxxThrowException,LookupPrivilegeValueW,GetLastError,_CxxThrowException,DuplicateTokenEx,GetLastError,_CxxThrowException,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,CreateEnvironmentBlock,GetLastError,_CxxThrowException,wcscpy_s,CreateProcessAsUserW,GetLastError,_CxxThrowException,wcscpy_s,CreateProcessAsUserW,GetLastError,TerminateProcess,_CxxThrowException,CloseHandle,WaitForMultipleObjects,TerminateProcess,CreateEventW,SetEvent,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,MsgWaitForMultipleObjects,PeekMessageW,DispatchMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,DestroyEnvironmentBlock,GetExitCodeProcess,Sleep,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,7_2_00804890
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00982F00 ?_Throw_C_error@std@@YAXH@Z,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,CloseHandle,CloseHandle,9_2_00982F00
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00404530 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404530
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: OpenSCManagerW,CreateServiceA,GetLastError,CloseServiceHandle,_CxxThrowException,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,4_2_005C1820
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: OpenSCManagerW,GetLastError,_CxxThrowException,CreateServiceA,GetLastError,CloseServiceHandle,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_005C1160
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: OpenSCManagerW,GetLastError,_CxxThrowException,CreateServiceA,GetLastError,CloseServiceHandle,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_005C0B50
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: _stat64i32,OpenSCManagerW,CreateServiceA,GetLastError,CloseServiceHandle,_CxxThrowException,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,4_2_005C1E20
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: OpenSCManagerW,CreateServiceA,GetLastError,CloseServiceHandle,_CxxThrowException,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,5_2_006AB940
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: OpenSCManagerW,GetLastError,_CxxThrowException,CreateServiceA,GetLastError,CloseServiceHandle,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_006AB670
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A046B0 memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_00A046B0
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009F69A0 CreateCompatibleDC,SelectObject,GetObjectW,BitBlt,SelectObject,DeleteDC,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,DefWindowProcW,GetClientRect,RedrawWindow,SetWindowLongW,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,SetTextColor,SetBkMode,GetStockObject,FindResourceW,FindResourceW,LoadResource,DialogBoxIndirectParamW,KiUserCallbackDispatcher,FindResourceW,LoadResource,DialogBoxIndirectParamW,FindResourceW,LoadResource,DialogBoxIndirectParamW,EndDialog,GetWindowLongW,SetWindowLongW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,GetWindowLongW,SetWindowLongW,GetDesktopWindow,GetWindowRect,GetWindowRect,GetWindowRect,MoveWindow,2_2_009F69A0
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A02B50 _stat64i32,OpenSCManagerW,OpenServiceA,ChangeServiceConfig2W,GetTickCount,GetTickCount,QueryServiceStatusEx,Sleep,QueryServiceStatusEx,GetTickCount,ControlService,Sleep,Sleep,QueryServiceStatusEx,GetTickCount,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,2_2_00A02B50
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: 5_2_006A2E40 memset,wcscpy_s,StartServiceCtrlDispatcherW,GetLastError,5_2_006A2E40
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00805F50 wcscpy_s,StartServiceCtrlDispatcherW,GetLastError,7_2_00805F50
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006839F0 memset,wcscpy_s,StartServiceCtrlDispatcherW,GetLastError,8_2_006839F0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008AA280 StartServiceCtrlDispatcherW,GetLastError,9_2_008AA280
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows ProvisioningJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Users\user\AppData\Roaming\Windows ProvisioningJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeMutant created: NULL
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeMutant created: \BaseNamedObjects\Global\Session_BDB1BEC9-DFE1-4FE7-9956-5D90508D03A8}
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeMutant created: \BaseNamedObjects\Global\APP_7a176276-e800-4daa-b5e8-7febbd3efc4a
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\GLOBAL_FILE_EVENT_MUTEX_563666373
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\FX_MUTEX_13FF2604_36CB_4ED4_A338_74BBD556055_RESPONSE
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\GLOBAL_HIDE_MUTEX_452555262
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeMutant created: \BaseNamedObjects\Global\KNIT_WMST_TMP_A2FA6D83-517F-41C2-A8D6-647E41231D92
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\APP_5491c4d3-0a5f-4898-bec4-cd906998e306
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\GLOBAL_KEYLOG_SETTINGS_MUTEX_452555262
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeMutant created: \BaseNamedObjects\Global\KNIT_WM_IPC6F69A0FF-B7BD-4ED1-B123-6ADFC7CE5340_MUTEX
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Stub_5491c4d3-0a5f-4898-bec4-cd906998e306
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\GLOBAL_MUTEX_231444252
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\FX_MUTEX_13FF2604_36CB_4ED4_A338_74BBD556055_REQUEST
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\FX_MUTEX_13FF2604_36CB_4ED4_A338_74BBD556055_
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBA52.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: license.txt2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: log.csv2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: LIC2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: LIC2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: Status2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: Status2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: -s=%d2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: version.txt2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: -s=12_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: \version.txt2_2_009F2E60
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCommand line argument: \version.txt2_2_009F2E60
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: exe=4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: inst=4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: shutdown.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: shutdown.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: inst.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: stealth_manager4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: uninstall_util4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: uninstall_util4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: lic.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: exe=4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: inst=4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: shutdown.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: shutdown.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: inst.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: stealth_manager4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: uninstall_util4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: uninstall_util4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: lic.dat4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCommand line argument: post_install4_2_005B26B0
Source: 5006_2.6.2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\5006_2.6.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll",ProcessDll s=hidedialog
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;RG
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;Rg%uR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;rol,UES ;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_thumbnail SET event_time=?,event_type=?,media_id=?,media_type=?,actual_size=?,actual_duration=?,full_path=?,event_time_zone=? WHERE event_id=?;V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_app_usage SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,got_focus=?,lost_focus=?,duration=?,owner_domain=?,owner_username=?,elevated=?,event_time_zone=? WHERE event_id=?;
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;,privilege_
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);V}
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_message;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;e,pv4,&
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;RW
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_email;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;k*
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);VH
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS virtual_payload (BASE_ID INTEGER PRIMARY KEY AUTOINCREMENT, csid INTEGER, event_attributes BLOB, event_file_path TEXT, event_file_md5 BLOB );
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe0.3.dr, svcAppInit.dll0.3.drBinary or memory string: SELECT * FROM fx_session_store WHERE session_type=? AND session_user=? AND date_time=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_network_traffic_id)m
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;lX
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);VP
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);VQ
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_panic_image SET event_time=?,latitude=?,longitude=?,altitude=?,coordinate_acc=?,network_name=?,network_id=?,cell_name=?,cell_id=?,country_code=?,area_code=?,media_type=?,image_path=?,event_time_zone=? WHERE event_id=?;ound_size,i
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_file_activity;#
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;p_id=?,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_app_life_cycle(event_time,state,type,app_id,app_name,version,app_size,icon_type,full_name,icon,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?);f
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_peripheral SET event_time=?,event_time_zone=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,peripheral_type=?,serial_number=?,product_id=?,vendor_id=?,description=?manufacturer=?friendly_name=? WHERE event_id=?;file_att=?,updated_file_path=?,updated_file_name=?,updated_file_size=?,updated_file_att=?,event_time_zone=? WHERE Y
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM installed_app_from_running_app WHERE app_id=? AND location=?;tR7
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_setting_elem(parent_id,setting_id,value) VALUES (?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_mms WHERE direction=2;,sender_address
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);w
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_peripheral SET event_time=?,event_time_zone=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,peripheral_type=?,serial_number=?,product_id=?,vendor_id=?,description=?manufacturer=?friendly_name=? WHERE event_id=?;file_att=?,updated_file_path=?,updated_file_name=?,updated_file_size=?,updated_file_att=?,event_time_zone=? WHERE
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_sms SET event_time=?,direction=?,conversation_id=?,sender_number=?,sender_contact_name=?,subject=?,message=?,event_time_zone=? WHERE event_id=?;,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);) VALUES V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;y=?
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ready_flag, payload_path, protocol_version, product_id, product_version, config_id, device_id, activate_code, language, phone_number, mcc, mnc, imsi, host_url, encrypt_code, compress_code, payload_size, payload_crc, public_key, ssid, has_virtual_payload, virtual_payload_attributes, aes_key, connection_timeout FROM phoenix_session WHERE csid=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;6,host_name,pv4,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_network_traffic_id)Q-
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_log_on(event_time,user_logon,app_id,app_name,app_title,action,domain_name,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);VE
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;l#
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);V
Source: svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200101408.0000000001FAF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124446339.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575228733.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_protected_resource_audit_log(event_time,user_logon,app_id,app_name,app_title,employee_id,app_credential_name,well_known_name,accessed_url,status_message,event_time_zone,log_in_result) VALUES (?,?,?,?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_network_traffic;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);ct_name=?,subject=?,message=?,9
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;e,pv4,T
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_email WHERE direction=1 AND user_logon=? ;Y
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;) VALUES
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);,privilege_read_execute,4
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);,privilege_read_execute,5
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);?,app_name=?,app_title=?uleE{/~
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_network_traffic_id)'
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_app_screenshot SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,app_category=?,url=?,snapshot_type=?,snapshot_path=?,event_time_zone=?,screen_category=? WHERE event_id=?;7
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);V#
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_pin_message WHERE direction=?;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_location SET event_time=?,calling_module=?,method=?,provider=?,latitude=?,longitude=?,altitude=?,horizontal_acc=?,vertical_acc=?,speed=?,heading=?,network_id=?,network_name=?,cell_name=?,cell_id=?,area_code=?,country_code=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);t=?,date_time_end=?,event_time_zone=? WHERE N
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);=?,sender_email=?,sender_contact_name=?,subjecte,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_contact(event_time,service_id,owner_id,contact_id,display_name,status_message,picture_profile,event_time_zone) VALUES (?,?,?,?,?,?,?,?);E
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);rk_traffic_id,OU
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_thumbnail SET event_time=?,event_type=?,media_id=?,media_type=?,actual_size=?,actual_duration=?,full_path=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_email SET event_time=?,direction=?,sender_email=?,sender_contact_name=?,subject=?,message=?,html_text=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,msg_type,msg_id) VALUES V
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_key;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);W
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_file_transfer(event_time,user_logon,app_id,app_name,app_title,direction,transfer_type,source,destination,filename,filesize,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);crosoftedge
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_pin_message SET event_time=?,direction=?,sender_name=?,sender_contact_name=?,subject=?,message=?,event_time_zone=? WHERE event_id=?;E
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_network_connection;Y
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);0=
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO installed_app_from_running_app (app_id, app_name, version, location, icon_path, date_time, size) VALUES (?,?,?,?,?,?,?);"
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_conversation;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_call_tag(media_id,direction,duration,number,contact_name) VALUES (?,?,?,?,?);e_zone=?.
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);g
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_conversation;,id,x1
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,msg_type,msg_id) VALUES e_zone)V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT MAX(latest_csid) from csid_generator; z
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);>
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);s8
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, svcAppInit.dll0.3.drBinary or memory string: SELECT * FROM installed_app_from_running_app;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_panic_status(event_time,status,event_time_zone) VALUES (?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;p_id=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_panic_status;?,statuswG@~
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;V-R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_log_on SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,domain_name=?,event_time_zone=? WHERE event_id=?;tal_acc,
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);name=?,adapter_des=?,tate,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ethod=?,provider=?,latitude=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_pin_message;?,st_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);write,privilege_list_folder,R
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;W*J}Y
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;pe,_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_email;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_app_life_cycle SET event_time=?,state=?,type=?,app_id=?,app_name=?,version=?,app_size=?,icon_type=?,full_name=?,icon=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_browser_url(event_time,title,url,visit_time,is_blocked,owning_app,event_time_zone) VALUES (?,?,?,?,?,?,?);Vs
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_usb SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,device_type=?,name=?,event_time_zone=? WHERE event_id=?;V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_email(event_time,user_logon,app_id,app_name,app_title,direction,service_type,sender_email,sender_contact_name,subject,body,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?);Rg
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);*
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);'
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);ource,destination,filename,filesize,
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe0.3.dr, svcAppInit.dll0.3.drBinary or memory string: INSERT INTO fx_session_store (session_type, session_user, session_domain, date_time) VALUES (?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_file_permission(username,privilege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,privilege_list_folder,file_id,file_info_type) VALUES (?,?,?,?,?,?,?,?,?);l_name,cell_id,area_code,country;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_account(event_time,service_id,owner_id,display_name,status_message,picture_profile,event_time_zone) VALUES (?,?,?,?,?,?,?);shot_path=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;"
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;&
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;+
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);sj
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;.
Source: svcAppInit.dll0.3.drBinary or memory string: SELECT name FROM sqlite_master WHERE type='table' AND name=?;PRAGMA table_info('');Component %d, Error %d, %s
Source: softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);w_data=?,formatted_data=?,snapshot_type=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_email SET event_time=?,direction=?,sender_email=?,sender_contact_name=?,subject=?,message=?,html_text=?,event_time_zone=? WHERE event_id=?;W
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;6,host_name,G
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;6,host_name,name,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;l_ipv4,9
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);pe,msg_id) VALUES _id)
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_panic_image(event_time,latitude,longitude,altitude,coordinate_acc,network_name,network_id,cell_name,cell_id,country_code,area_code,media_type,image_path,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_app_life_cycle SET event_time=?,state=?,type=?,app_id=?,app_name=?,version=?,app_size=?,icon_type=?,full_name=?,icon=?,event_time_zone=? WHERE event_id=?;R
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_email WHERE direction=2;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_key SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,raw_data=?,formatted_data=?,url=?,snapshot_type=?,snapshot_path=?,event_time_zone=? WHERE event_id=?;'
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_sms SET event_time=?,direction=?,conversation_id=?,sender_number=?,sender_contact_name=?,subject=?,message=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_location SET event_time=?,calling_module=?,method=?,provider=?,latitude=?,longitude=?,altitude=?,horizontal_acc=?,vertical_acc=?,speed=?,heading=?,network_id=?,network_name=?,cell_name=?,cell_id=?,area_code=?,country_code=?,event_time_zone=? WHERE event_id=?;ege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,pr<
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;l_ipv4,,
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_key(event_time,user_logon,app_id,app_name,app_title,raw_data,formatted_data,url,snapshot_type,snapshot_path,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?);vR'
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES V
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);2i
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;gon=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_im_message WHERE direction=1;W
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_panic_image;$G
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS fx_log_file_log(event_id INTEGER PRIMARY KEY AUTOINCREMENT,event_time TEXT,event_time_zone TEXT,log_category INTEGER,log_message TEXT,log_zip_file_path TEXT);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_panic_status SET event_time=?,status=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_src_record;id
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);ivilege_read_execute,V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,coordinate_acc=?,network_name=?,ider
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);_name,submitted_time,total_pagesVE
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_email WHERE direction=1;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);ivilege_read_execute,d
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);v8
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);1
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);0
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_contact(event_time,service_id,owner_id,contact_id,display_name,status_message,picture_profile,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);type=?,snapshot_path=?,R't
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);6
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO virtual_payload (csid,event_attributes,event_file_path,event_file_md5) VALUES ( ?,?,?,? );onV
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);=
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;pR'QpR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;5g
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);G
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);F
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_im_message WHERE direction=2;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(event_type) FROM fx_media WHERE event_type=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_remote_camera_image;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,msg_type,msg_id) VALUES hod,provider,
Source: certutil.exe, 0000000C.00000003.2202535216.0000000001204000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2206197737.0000000001204000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202346992.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202391788.00000000011F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);ivilege_read_execute,(
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_system WHERE direction=?;e,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_im_message SET event_time=?,direction=?,service_id=?,conversation_id=?,originator_id=?,text_representation=?,data=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;6,host_name,V
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_location(event_time,calling_module,method,provider,latitude,longitude,altitude,horizontal_acc,vertical_acc,speed,heading,network_id,network_name,cell_name,cell_id,area_code,country_code,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);wR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_event_setting(event_time,event_time_zone) VALUES (?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_audio_call_recording SET event_time=?,media_type=?,filename=?,full_path=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);QqRwPqR'PqR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);itle,direction,service_type,)iZ
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;[08
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);,privilege_read_execute,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);ipv6,event_network_traffic_id)
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(event_type) FROM fx_thumbnail WHERE event_type=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);*
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_conversation(event_time,service_id,owner_id,conversation_id,conversation_name,picture_profile,status_message,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_account;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_file_activity(event_time,user_logon,app_id,app_name,app_title,activity_type,file_type,activity_owner,date_created,date_modified,date_accessed,org_file_path,org_file_name,org_file_size,org_file_att,updated_file_path,updated_file_name,updated_file_size,updated_file_att,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);V
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_file_activity(event_time,user_logon,app_id,app_name,app_title,activity_type,file_type,activity_owner,date_created,date_modified,date_accessed,org_file_path,org_file_name,org_file_size,org_file_att,updated_file_path,updated_file_name,updated_file_size,updated_file_att,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);Y
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);5j
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_im(event_time,user_logon,app_id,app_name,app_title,service_id,conv_name,raw_data,formatted_data,snapshot_type,snapshot_path,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?);V}
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_remote_camera_image SET event_time=?,media_type=?,filename=?,full_path=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);fic_id,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);ApR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_session_store WHERE session_type=? AND session_user=? AND date_time=?;_>g
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_log_file_log;id,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_location;?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_file_transfer;
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_print_job SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,job_id=?,owner_user_name=?,printer_name=?,document_name=?,submitted_time=?,total_pages=?,total_bytes=?,mime_type=?,print_data_filename=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS rmt_cmd_data (id INTEGER PRIMARY KEY AUTOINCREMENT, cmd_code TEXT, is_reply_msg INTEGER, sender TEXT, rmt_cmd_type INTEGER, arguments BLOB, retry_count INTEGER, tagging TEXT);K
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);JMY
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_location;t_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_mms SET event_time=?,direction=?,conversation_id=?,sender_address=?,sender_contact_name=?,subject=?,message=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_account(event_time,service_id,owner_id,display_name,status_message,picture_profile,event_time_zone) VALUES (?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);pe,msg_id) VALUES _id)"
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);nt_time_zone=? WHERE event_idVj
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);Y
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);t_type,snapshot_path,event_time_zone,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);s_message=?,event_time_zone=?V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_sms;R
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;l_ipv4,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;#l
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_network_connection(event_time,user_logon,app_id,app_name,app_title,uid,network_type,adapter_name,adapter_des,mac_address,conn_state,network_name,ipv4_address,ipv6_address,subnet_mask,default_gateway,dhcp_server,dhcp_enabled,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_account;'
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES _id)Rg-R
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_im_message WHERE direction=1;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT event_id,event_time,event_time_zone,log_category,log_message,log_zip_file_path FROM fx_log_file_log WHERE event_id=?;
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES gems
Source: rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, svcAppInit.dll0.3.drBinary or memory string: INSERT INTO rmt_cmd_data (cmd_code, is_reply_msg, sender, rmt_cmd_type, arguments, retry_count, tagging) VALUES (?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, svcAppInit.dll0.3.drBinary or memory string: INSERT INTO installed_app_from_running_app (app_id, app_name, version, location, icon_path, date_time, size) VALUES (?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;,E
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;pe,_title
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);{
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES _id)=
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_key SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,raw_data=?,formatted_data=?,url=?,snapshot_type=?,snapshot_path=?,event_time_zone=? WHERE event_id=?;V
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_call_log;rotocol_type,T7#~"
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_email WHERE user_logon=? ;<
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_session_store LIMIT 0,1;ramS3~i
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_im_message WHERE direction=1;,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_browser;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);n
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_location(event_time,calling_module,method,provider,latitude,longitude,altitude,horizontal_acc,vertical_acc,speed,heading,network_id,network_name,cell_name,cell_id,area_code,country_code,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);Z
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES .{
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;ddo
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);o
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_audio_call_recording(event_time,media_type,filename,full_path,event_time_zone) VALUES (?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_mms(event_time,direction,conversation_id,sender_address,sender_contact_name,subject,message,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);le=?,action=?,p_title=?,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);RW'
Source: svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200101408.0000000001FAF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124446339.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575228733.0000000001FCF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_protected_resource_audit_log SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,employee_id=?,app_credential_name=?,well_known_name=?,accessed_url=?,status_message=?,event_time_zone=?log_in_result=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_log_file_log;
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, nt_system_service.exe, nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppLookup.exe0.3.dr, svcAppInit.dll0.3.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);re_profile=?,status_message=?,event_time_zone=?w
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_print_job;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_audio_ambient_recording SET event_time=?,media_type=?,filename=?,full_path=?,duration=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_peripheral SET event_time=?,event_time_zone=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,peripheral_type=?,serial_number=?,product_id=?,vendor_id=?,description=?manufacturer=?friendly_name=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_panic_image;_id,VT
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);p_id=?,app_name=?,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_panic_status(event_time,status,event_time_zone) VALUES (?,?,?);ent_network_traffic_id)
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(event_type) FROM fx_thumbnail WHERE event_type=?;OO_
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);TY`~
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;6,host_name,ALUES
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_thumbnail;itude,type,
Source: softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;qR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_network_connection(event_time,user_logon,app_id,app_name,app_title,uid,network_type,adapter_name,adapter_des,mac_address,conn_state,network_name,ipv4_address,ipv6_address,subnet_mask,default_gateway,dhcp_server,dhcp_enabled,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);rRW
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_email SET event_time=?,direction=?,sender_email=?,sender_contact_name=?,subject=?,message=?,html_text=?,event_time_zone=? WHERE event_id=?;older,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE ddm SET caller_id=1, priority_request=?, delivery_request_type=?, ready_to_resume=?, retry_count=?, max_retry_count=?, data_provider_type=?, is_require_encryption=?, is_require_compression=?, delay_time=? WHERE csId=?;unt INTEGER, max_retry_count INTEGER, data_provider_type INTEGER,
Source: softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);?
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);5
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);E3
Source: rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;pe,ysM
Source: rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, svcAppInit.dll0.3.drBinary or memory string: SELECT * FROM rmt_cmd_data ORDER BY id ASC;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_system;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);2
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_im;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_media SET event_time=?,event_type=?,media_type=?,filename=?,full_path=?,has_thumbnail=?,thumbnail_delivered=?,event_time_zone=? WHERE event_id=?;*
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, nt_system_service.exe, nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppLookup.exe0.3.dr, svcAppInit.dll0.3.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);ivilege_read_execute,
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;'
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);b
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_app_screenshot SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,app_category=?,url=?,snapshot_type=?,snapshot_path=?,event_time_zone=?,screen_category=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_file_activity(event_time,user_logon,app_id,app_name,app_title,activity_type,file_type,activity_owner,date_created,date_modified,date_accessed,org_file_path,org_file_name,org_file_size,org_file_att,updated_file_path,updated_file_name,updated_file_size,updated_file_att,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_message(event_time,direction,service_id,conversation_id,originator_id,text_representation,data,event_time_zone) VALUES (?,?,?,?,?,?,?,?);RW
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;9
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;me)
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_network_traffic_id)rovider,t{
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);M
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_file_permission(username,privilege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,privilege_list_folder,file_id,file_info_type) VALUES (?,?,?,?,?,?,?,?,?);vR70vR
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);Eo
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);P
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;-
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_log_on(event_time,user_logon,app_id,app_name,app_title,action,domain_name,event_time_zone) VALUES (?,?,?,?,?,?,?,?);r=?,latitude=?}
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS fx_web_mail_2 (id INTEGER PRIMARY KEY AUTOINCREMENT, email_provider INTEGER, email_id TEXT, email_direction INTEGER, date_time TEXT);protocol_type,t
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;'
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);ce_id,conv_name,raw_data,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_call_tag(media_id,direction,duration,number,contact_name) VALUES (?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);rk_traffic_id,tivity_type,,V2$
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);pe,msg_id) VALUES V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_panic_image SET event_time=?,latitude=?,longitude=?,altitude=?,coordinate_acc=?,network_name=?,network_id=?,cell_name=?,cell_id=?,country_code=?,area_code=?,media_type=?,image_path=?,event_time_zone=? WHERE event_id=?;
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;2
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;7
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_file_permission(username,privilege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,privilege_list_folder,file_id,file_info_type) VALUES (?,?,?,?,?,?,?,?,?);me_zone) VALUES
Source: softokn3.dll.3.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);)
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO csid_generator (latest_csid) VALUES ( ? );
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);(
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_browser;,Z
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_im_contact SET event_time=?,service_id=?,owner_id=?,contact_id=?,display_name=?,status_message=?,picture_profile=?,event_time_zone=? WHERE event_id=?;
Source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS fx_web_mail_2 (id INTEGER PRIMARY KEY AUTOINCREMENT, email_provider INTEGER, email_id TEXT, email_direction INTEGER, date_time TEXT);
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;rR
Source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: INSERT INTO fx_web_mail_2 (email_provider, email_id, email_direction, date_time) VALUES (?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS fx_desktop_location(event_id INTEGER PRIMARY KEY AUTOINCREMENT,event_time TEXT,event_time_zone TEXT,user_logon TEXT,app_id TEXT,app_name TEXT,app_title TEXT,calling_module INTEGER,method INTEGER,provider INTEGER,latitude REAL,longitude REAL,altitude REAL,horizontal_acc REAL,vertical_acc REAL,speed REAL,heading REAL,network_id TEXT,network_name TEXT,cell_name TEXT,cell_id INTEGER,area_code INTEGER,country_code TEXT);RY KEY AUT
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);VW'
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;%
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);ge_read,privilege_write,privilege_list_folder,Rw.
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;m
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_network_traffic SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,date_time_start=?,date_time_end=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;g
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES ork_id,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_email(event_time,direction,sender_email,sender_contact_name,subject,message,html_text,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_panic_image(event_time,latitude,longitude,altitude,coordinate_acc,network_name,network_id,cell_name,cell_id,country_code,area_code,media_type,image_path,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);Jm
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);KZA
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;w
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_browser_url SET event_time=?,title=?,url=?,visit_time=?,is_blocked=?,owning_app=?,event_time_zone=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;rol,
Source: softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_mms;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?); KEY AUTOINCREMENT,event_time TEXT
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_app_screenshot(event_time,user_logon,app_id,app_name,app_title,app_category,url,snapshot_type,snapshot_path,event_time_zone,screen_category) VALUES (?,?,?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);redential_name=?,st_folder,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);d=?,app_name=?,action,V[T
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_app_life_cycle;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;E
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;G
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;I
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_src_record SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,calling_module=?,frame_strip=?,snapshot_type=?,snapshot_path=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);on_id,conversation_name,ecute,U
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);sfer_type=?,source=?,destination=?,filename=?,Rwa
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_panic_image;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;_full_control,rR
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;W
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_app_screenshot;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);_modify,privilege_read_execute,m
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE ddm SET ready_to_resume=1 WHERE csId=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);_name=?,app_title=?,uid=?,'A
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_log_on;? AND sC
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);,R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_thumbnail;te_host_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);ame_strip=?,snapshot_type=?,snapshot_path=?,,R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);V`8
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);e=?,document_name=?,folder,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_location;sg_type=?}
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_browser_url(event_time,title,url,visit_time,is_blocked,owning_app,event_time_zone) VALUES (?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_email WHERE direction=2;R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_print_job;t_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_sms WHERE direction=2;7
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_remote_camera_image SET event_time=?,media_type=?,filename=?,full_path=?,event_time_zone=? WHERE event_id=?;ime=?,stop_time=?,duration=? WHERE H%
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);UZc
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_file_transfer WHERE direction=?;code
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;e,V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_network_traffic(event_time,user_logon,app_id,app_name,app_title,date_time_start,date_time_end,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);type,snapshot_path,_folder,R7
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_email;=? AND
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_mms WHERE direction=2;,sender_addressW
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;vdq
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;me)}
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;isplay_name,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);pe,msg_id) VALUES Vs
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);M
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);Q
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);full_name=?,icon=?,event_time_zone=? WHERE r,R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_audio_call_recording SET event_time=?,media_type=?,filename=?,full_path=?,event_time_zone=? WHERE event_id=?;@
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);nate_acc,network_name,network_id,V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);E
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);H
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);]Mb
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);^
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);\
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_peripheral(event_time,event_time_zone,user_logon,app_id,app_name,app_title,action,peripheral_type,serial_number,product_id,vendor_id,description,manufacturer,friendly_name) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);[YQ~
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);tatus_message,
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_mms WHERE direction=2;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_id,ge_read_execute,
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);Z
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_location;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);#%
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_audio_ambient_recording(event_time,media_type,filename,full_path,duration,event_time_zone) VALUES (?,?,?,?,?,?);write,privilege_list_folder,
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);o
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);m
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);,calling_module,method,providerj{r~
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_app_life_cycle;st_id
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_browser SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,url=?,event_time_zone=?,start_time=?,stop_time=?,duration=? WHERE event_id=?;Vg
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);f
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);e,event_time_zone) VALUES
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);h
Source: svcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, nt_system_service.exe, nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppLookup.exe0.3.dr, svcAppInit.dll0.3.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);le,action,device_type,name,d)
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);}
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_browser_url;E file_id
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);w
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;me)*
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_file_transfer(event_time,user_logon,app_id,app_name,app_title,direction,transfer_type,source,destination,filename,filesize,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?);Rg
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);,latitude,longitude,altitude,horizontal_acc,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;Q+
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_audio_call_recording;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;,&
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_audio_ambient_recording;,media_type,filename,?
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO phoenix_session (csid,ready_flag, payload_path, protocol_version, product_id, product_version, config_id, device_id, activate_code, language, phone_number, mcc, mnc, imsi, host_url, encrypt_code, compress_code, connection_timeout) VALUES (?,0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) ;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;9[u
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_call_log(event_time,direction,duration,number,contact_name,event_time_zone) VALUES (?,?,?,?,?,?);
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_email WHERE direction=2 AND user_logon=? ;\
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_network_connection SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,uid=?,network_type=?,adapter_name=?,adapter_des=?,mac_address=?,conn_state=?,network_name=?,ipv4_address=?,ipv6_address=?,subnet_mask=?,default_gateway=?,dhcp_server=?,dhcp_enabled=?,event_time_zone=? WHERE event_id=?;V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_email;g_type,c#
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;pe,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;) VALUES R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);}&
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_im_contact SET event_time=?,service_id=?,owner_id=?,contact_id=?,display_name=?,status_message=?,picture_profile=?,event_time_zone=? WHERE event_id=?;R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,app_name=?,app_title=?,ecute,;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);vent_time_zone) VALUES 4
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);_name=?,app_title=?,uid=?,V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,R
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE phoenix_session SET ready_flag=1, payload_size=?, payload_crc=?, public_key=?, ssid=?, encrypt_code=?, compress_code=?, has_virtual_payload=?, virtual_payload_attributes=?, aes_key=? WHERE csid=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_email WHERE direction=2;R
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_recipient WHERE msg_type=? AND msg_id=?;G@
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);}6
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);full_name=?,icon=?,event_time_zone=? WHERE V
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,msg_type,msg_id) VALUES le,Vg5
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;_No~
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_app_usage SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,got_focus=?,lost_focus=?,duration=?,owner_domain=?,owner_username=?,elevated=?,event_time_zone=? WHERE event_id=?;Rg
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_network_connection SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,uid=?,network_type=?,adapter_name=?,adapter_des=?,mac_address=?,conn_state=?,network_name=?,ipv4_address=?,ipv6_address=?,subnet_mask=?,default_gateway=?,dhcp_server=?,dhcp_enabled=?,event_time_zone=? WHERE event_id=?;w
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;H
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_mms WHERE direction=1;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;pe,_titlef
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);,msg_type,msg_id) VALUES l_name,Vj
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);<7
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);_id,d) VALUES V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;) VALUES }(
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);=?,sender_email=?,sender_contact_name=?,subjectaf<
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_file_permission(username,privilege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,privilege_list_folder,file_id,file_info_type) VALUES (?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_call_log(event_time,direction,duration,number,contact_name,event_time_zone) VALUES (?,?,?,?,?,?);]m
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_file_permission WHERE file_id=? AND file_info_type=?;c!2}
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS csid_generator (BASE_ID INTEGER PRIMARY KEY AUTOINCREMENT,latest_csid INTEGER);
Source: svcAppLookup.exe, 00000008.00000003.2210025540.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200187887.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4460147545.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3575305638.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.3124518059.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_call_log;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_thumbnail(event_time,event_type,media_id,media_type,actual_size,actual_duration,full_path,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;uR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);rk_traffic_id,d) VALUES
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;j7
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_mms SET event_time=?,direction=?,conversation_id=?,sender_address=?,sender_contact_name=?,subject=?,message=?,event_time_zone=? WHERE event_id=?;R
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,oo
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_desktop_usb(event_time,user_logon,app_id,app_name,app_title,action,device_type,name,event_time_zone) VALUES (?,?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_media;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);V"I
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;ll_path) VALUES S
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_remote_host(remote_ipv4,remote_ipv6,host_name,event_network_traffic_id,network_interface_id) VALUES (?,?,?,?,?);ner_domain=?,owner_username
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);9>
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_traffic WHERE remote_host_id=?;,}
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;me)tRW
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_event_setting SET event_time=?,event_time_zone=? WHERE event_id=?;R7*
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_protected_resource_audit_log SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,employee_id=?,app_credential_name=?,well_known_name=?,accessed_url=?,status_message=?,event_time_zone=?log_in_result=? WHERE event_id=?;V
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);Mi
Source: rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppInit.dll0.3.drBinary or memory string: UPDATE rmt_cmd_data SET retry_count=? WHERE cmd_code=? AND is_reply_msg=? AND sender=? AND rmt_cmd_type=? AND tagging=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);tation=?,data=?,event_time_zone=? WHERE +
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_media SET thumbnail_delivered=? WHERE event_id=?;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,tic
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_mms WHERE direction=1;AsR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_system SET event_time=?,category=?,direction=?,message=?,event_time_zone=? WHERE event_id=?;zZ
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;3A
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_video_thumb_data(media_id,image_full_path) VALUES (?,?);]j
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);msg_id) VALUES cute,
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;E
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;B
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;A
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,1.
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);le=?,action=?,device_typeR
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_file_permission(username,privilege_full_control,privilege_modify,privilege_read_execute,privilege_read,privilege_write,privilege_list_folder,file_id,file_info_type) VALUES (?,?,?,?,?,?,?,?,?);nt_data_filename=?,erver,
Source: certutil.exe, 0000000C.00000002.2206120578.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203974030.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203856321.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203203715.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202802777.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2204537899.00000000011D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;[
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_email WHERE direction=1;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);ent_network_traffic_id)-#
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_attachment2(full_path,msg_type,msg_id,file_name) VALUES (?,?,?,?);bject,message,ecute,3
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;d=?,%
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);y2
Source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, svcAppInit.dll0.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS installed_app_from_running_app (id INTEGER PRIMARY KEY AUTOINCREMENT, app_id TEXT, app_name TEXT, version TEXT, location TEXT, icon_path TEXT, date_time TEXT, size INTEGER);
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);,
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_desktop_usb SET event_time=?,user_logon=?,app_id=?,app_name=?,app_title=?,action=?,device_type=?,name=?,event_time_zone=? WHERE event_id=?;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);-
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT event_attributes, event_file_path, event_file_md5 FROM virtual_payload WHERE csid=?;ALUES }h
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_im_contact;
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);3
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_message(event_time,direction,service_id,conversation_id,originator_id,text_representation,data,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_attachment2 WHERE msg_type=? AND msg_id=?;5)
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(*) FROM fx_desktop_app_usage;t_idM
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);*
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_geo_tag(media_id,latitude,longitude,altitude) VALUES (?,?,?,?);pe,msg_id) VALUES
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);ge_write,privilege_list_folder,e,i
Source: svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;_
Source: svcAppLookup.exe, 00000008.00000003.2200286967.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_traffic(app_layer_protocol_type,tran_layer_protocol_type,port_number,inbound_size,outbound_size,inbound_packet,outbound_packet,event_network_traffic_id,remote_host_id) VALUES (?,?,?,?,?,?,?,?,?);>
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;}
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);&M
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_remote_host WHERE network_interface_id=?;ALUES V5
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_network_interface(type,name,description,local_ipv4,local_ipv6,event_network_traffic_id) VALUES (?,?,?,?,?,?);gm
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(direction) FROM fx_desktop_email WHERE direction=2;
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM fx_network_interface WHERE event_network_traffic_id=?;,app_id,V
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_im_account(event_time,service_id,owner_id,display_name,status_message,picture_profile,event_time_zone) VALUES (?,?,?,?,?,?,?);W,
Source: certutil.exe, 0000000C.00000003.2202535216.0000000001204000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2206197737.0000000001204000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202346992.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2202391788.00000000011F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);z
Source: certutil.exe, 0000000C.00000002.2205820364.0000000001172000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2205101694.0000000001171000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2205048101.0000000001167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_sms(event_time,direction,conversation_id,sender_number,sender_contact_name,subject,message,event_time_zone) VALUES (?,?,?,?,?,?,?,?);
Source: svcAppLookup.exe, 00000008.00000003.2200403958.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4458821210.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000003.2200286967.00000000012E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO fx_recipient(recipient_type,recipient,recipient_contact_name,msg_type,msg_id) VALUES (?,?,?,?,?);5n
Source: svcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE fx_media SET event_time=?,event_type=?,media_type=?,filename=?,full_path=?,has_thumbnail=?,thumbnail_delivered=?,event_time_zone=? WHERE event_id=?;
Source: antivirus_detector.exeString found in binary or memory: self re-launch: fail !!!
Source: antivirus_detector.exeString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/common-anti-virus-program-instructions-for-adding-exclusions.html
Source: antivirus_detector.exeString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/common-anti-virus-program-instructions-for-adding-exclusions.html
Source: antivirus_detector.exeString found in binary or memory: https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.html
Source: antivirus_detector.exeString found in binary or memory: self re-launch: success !!!
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile read: C:\Users\user\Desktop\5006_2.6.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\5006_2.6.2.exe "C:\Users\user\Desktop\5006_2.6.2.exe"
Source: C:\Users\user\Desktop\5006_2.6.2.exeProcess created: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exe "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess created: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeProcess created: C:\Program Files (x86)\Windows Provisioning\post_install.exe "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0
Source: unknownProcess created: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe "C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe"
Source: unknownProcess created: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe"
Source: unknownProcess created: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe "C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe"
Source: unknownProcess created: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe "C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe"
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll",ProcessDll s=hidedialog
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\sysnative\rundll32.exe "C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll",ProcessDllStub
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeProcess created: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile
Source: C:\Users\user\Desktop\5006_2.6.2.exeProcess created: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exe "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess created: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeProcess created: C:\Program Files (x86)\Windows Provisioning\post_install.exe "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0Jump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll",ProcessDll s=hidedialogJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\sysnative\rundll32.exe "C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll",ProcessDllStubJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeProcess created: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile
Source: C:\Users\user\Desktop\5006_2.6.2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeAutomated click: I agree to install this software only on computers that I own. I also agree to inform anyone who uses those computers that their computer usage may be monitored.
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeWindow detected: Software InstallationI agree to install this software only on computers that I own. I also agree to inform anyone who uses those computers that their computer usage may be monitored.Please read the following License Agreement. Press the PAGE DOWN key to see the rest of the agreement.Do you accept all the terms of the preceeding License Agreement? If you choose No Setup will close. To Install this software you must accept this agreement.SOFTWARE END USER LICENSE AGREEMENTPLEASE CAREFULLY READ THIS END USER LICENSE AGREEMENT (LICENSE) PRIOR TO USING THE SOFTWARE (SOFTWARE). BY USING THE SOFTWARE YOU AGREE TO ADHERE TO THE TERMS OF THIS LICENSE. IF YOU DO NOT ACCEPT THE TERMS OF THIS LICENSE DO NOT INSTALL OR USE THE SOFTWARE AND DELETE THE SOFTWARE AND ALL OF ITS RELATED FILES FROM YOUR DEVICE. THIS END USER LICENSE AGREEMENT (EULA) IS A LEGAL AGREEMENT BETWEEN YOU (THE USER) AND APPLICATION PROVIDER FOR USE OF THE SOFTWARE. BY DOWNLOADING INSTALLING OR OTHERWISE USING THE SOFTWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA YOU MAY NOT DOWNLOAD INSTALL OR USE THE SOFTWARE.BY ACCEPTING THIS AGREEMENT YOU AGREE TO INSTALL THIS SOFTWARE ONLY ON A DEVICE OR DEVICES OWNED BY TO USE IT ONLY IN CONNECTION WITH AN ACCOUNT APPLICATION OR PROGRAM YOU HAVE THE LEGAL RIGHT TO ACCESS. YOU ALSO AGREE TO INFORM ANY PERSON(S) WHO USE(S) A DEVICE WITH THE SOFTWARE INSTALLED AND ANY OTHER PERSON WITH THE RIGHT TO ACCESS A MONITORED ACCOUNT OF THE PRESENCE OF THE SOFTWARE. FAILURE TO COMPLY MAY RESULT IN YOU BREAKING STATE AND FEDERAL LAWS. YOU UNDERSTAND AND AGREE THAT YOU SHALL BE RESPONSIBLE FOR ANY LEGAL COSTS INCURRED BY APPLICATION PROVIDER RESULTING FROM YOUR IMPROPER OR ILLEGAL USE OF THE SOFTWARE. User agrees that the installation and use of the Software will be in accordance with all local state and federal laws governing the monitoring of device account application or program activity and usage. User acknowledges that it is prohibited and against the terms of this Agreement NOT to inform any third party that User is monitoring the device account application or program with the Software and that their usage is subject to monitoring and recording.The application software that is subject to this license is referred to in this license as the Licensed Software. The Licensed Software and any other products offered on this website are licensed not sold to You. Vendor (further referred to in this license as Application Provider) reserves all rights not expressly granted to You.a. Scope of License: Application Provider grants You a non-exclusive non-transferable End-User license right to install the Licensed Software on one computer that You own or control. Nothing in this license should be interpreted as permitting installation of the Licensed Software on any device You do not own or control or which You do not have the legal right to monitor or to monitor any account application or program You do not have the
Source: 5006_2.6.2.exeStatic file information: File size 17131434 > 1048576
Source: 5006_2.6.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\tools\vcpkg\buildtrees\protobuf\x86-windows-v140-rel\libprotobuf-lite.pdb??! source: rundll32.exe, 0000000A.00000002.4464191235.000000006A9CD000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\post_install.pdbWW source: post_install.exe, 00000004.00000000.2119366297.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, post_install.exe, 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\antivirus_detector.pdbOO source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libssl.pdb source: svcAppLookup.exe, 00000008.00000002.4462687887.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4466303204.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\uninstall.pdbXX source: uninstall.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppUpdate.pdbCC source: svcAppUpdate.exe, 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp, svcAppUpdate.exe, 00000005.00000000.2149789521.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\windows_hook_64.pdb source: rundll32.exe, 0000000B.00000002.4459240973.00007FF8A9325000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\uninstall.pdb source: uninstall.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\post_install.pdb source: post_install.exe, 00000004.00000000.2119366297.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp, post_install.exe, 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppInit.pdb source: svcAppInit.exe, 00000007.00000000.2189559977.0000000000818000.00000002.00000001.01000000.0000000D.sdmp, svcAppInit.exe, 00000007.00000002.4458028771.0000000000818000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\nt_system_service.pdbuu+4GCTL source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x86\Packet.pdb source: rundll32.exe, 0000000A.00000002.4459330719.000000000434F000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppUpdate.pdb source: svcAppUpdate.exe, 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp, svcAppUpdate.exe, 00000005.00000000.2149789521.00000000006B0000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\nt_system_service.pdb source: nt_system_service.exe, 00000009.00000002.4458728112.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp, nt_system_service.exe, 00000009.00000000.2191105493.00000000009B5000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libcrypto.pdb source: svcAppLookup.exe, 00000008.00000002.4461735294.000000006BC6F000.00000002.00000001.01000000.00000018.sdmp, rundll32.exe, 0000000A.00000002.4465825694.000000006BC6F000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppInit.pdbNN source: svcAppInit.exe, 00000007.00000000.2189559977.0000000000818000.00000002.00000001.01000000.0000000D.sdmp, svcAppInit.exe, 00000007.00000002.4458028771.0000000000818000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\tools\vcpkg\buildtrees\protobuf\x86-windows-v140-rel\libprotobuf-lite.pdb source: rundll32.exe, 0000000A.00000002.4464191235.000000006A9CD000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\windows_hook.pdb source: antivirus_detector.exe, 00000002.00000002.4460746995.000000006A5EB000.00000002.00000001.01000000.0000002A.sdmp, svcAppLookup.exe, 00000008.00000003.2191222252.000000000123E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4463926030.000000006A5EB000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\protocolfilters\build\release_static_ssl\win32\protocolfilters.pdb source: nt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppLookup.pdbnn92GCTL source: svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\svcAppLookup.pdb source: svcAppLookup.exe, 00000008.00000000.2190159565.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe, 00000008.00000002.4458238469.00000000006FE000.00000002.00000001.01000000.0000000E.sdmp, svcAppLookup.exe0.3.dr
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\packetntx\driver\bin\amd64\npf.pdb source: main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppLookup.pdb source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\build\openssl-develop\packages\openssl-1.1.0\libssl.pdb== source: svcAppLookup.exe, 00000008.00000002.4462687887.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4466303204.000000006BDA3000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb source: rundll32.exe, 0000000A.00000002.4463801692.0000000010029000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: e:\PTHREADS\pthreads\pthreadVC.pdb source: pthreadVC.dll.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppInit.pdb source: rundll32.exe, 0000000A.00000002.4464986715.000000006B282000.00000002.00000001.01000000.0000001B.sdmp, svcAppInit.dll0.3.dr
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\release_fxs_production\antivirus_detector.pdb source: antivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\build\workspace\Windows_build_test-Flexispy\codebase\extensions\ws_vs_2015\Release_Fxs_Production\svcAppLookup.pdbn source: svcAppLookup.exe, 00000008.00000002.4464223091.000000006C4F5000.00000002.00000001.01000000.00000011.sdmp
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_00682CE0 memset,_stat64i32,_CxxThrowException,new,GetModuleHandleA,GetProcAddress,GetLastError,GetLastError,LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,8_2_00682CE0
Source: libcrypto.dll.3.drStatic PE information: section name: .00cfg
Source: libssl.dll.3.drStatic PE information: section name: .00cfg
Source: libcrypto.dll0.3.drStatic PE information: section name: .00cfg
Source: libssl.dll0.3.drStatic PE information: section name: .00cfg
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A06876 push ecx; ret 2_2_00A06889
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CED16 push ecx; ret 4_2_005CED29
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: 5_2_006ADF26 push ecx; ret 5_2_006ADF39
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00814DE6 push ecx; ret 7_2_00814DF9
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F95B6 push ecx; ret 8_2_006F95C9
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA1AF96 push ecx; ret 8_2_6BA1AFA9
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA4FF10 push ecx; mov dword ptr [esp], ecx8_2_6BA4FF11
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA81E86 push ecx; ret 8_2_6BA81E99
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA59DD0 push ecx; mov dword ptr [esp], 00000000h8_2_6BA59DD1
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA59D70 push ecx; mov dword ptr [esp], 00000000h8_2_6BA59D71
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097FE36 push ecx; ret 9_2_0097FE49
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6D8105 push ecx; ret 9_2_6C6D8118
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6CD83B push ecx; ret 9_2_6C6CD84E
Source: msvcr110.dll.0.drStatic PE information: section name: .text entropy: 6.9113720938783825

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\80C410E174EDD8983D7ED0379677E2550BAF8511 Blob
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\80C410E174EDD8983D7ED0379677E2550BAF8511 Blob
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\npf.sysJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\system32\drivers\npf.sysJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoCrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssckbi.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\pthreadVC.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Windows\SysWOW64\msvcr110.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\get_drop_files.exeJump to dropped file
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\pthreadVC.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\softokn3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\x64\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\sqlite3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\freebl3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\certutil.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\nss3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\nss3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\windows_hook.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssdbm3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssutil3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoFoundation.dllJump to dropped file
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\x64\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoJSON.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\libnspr4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoXML.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\smime3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libssl.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplc4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libcrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE645.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\drivers\npf.sysJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\post_install.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\smime3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoUtil.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\npf.sysJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\Windows Provisioning.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplds4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNetSSL.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\svcAppUpdate.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\get_drop_files.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Program Files (x86)\Windows Provisioning\libs\libssl.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoCrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoUtil.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoJSON.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoXML.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libssl.dllJump to dropped file
Source: C:\Users\user\Desktop\5006_2.6.2.exeFile created: C:\Windows\SysWOW64\msvcr110.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoNetSSL.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libcrypto.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\Packet.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\pthreadVC.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\PocoFoundation.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\wpcap.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\SysWOW64\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeFile created: C:\Windows\System32\drivers\npf.sysJump to dropped file
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeFile created: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txtJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005C1B20 OpenSCManagerW,OpenServiceA,ChangeServiceConfig2W,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_005C1B20

Hooking and other Techniques for Hiding and Protection

barindex
Deletes itself after installation
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeFile deleted: c:\users\user\desktop\5006_2.6.2.exeJump to behavior
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtOpenFile
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: NtOpenFile new code: 0xE9 0x98 0x8B 0xB4 0x43 0x39
Source: C:\Users\user\Desktop\5006_2.6.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssckbi.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\pthreadVC.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\5006_2.6.2.exeDropped PE file which has not been started: C:\Windows\SysWOW64\msvcr110.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\get_drop_files.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Windows\SysWOW64\pthreadVC.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmE645.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Windows\System32\drivers\npf.sysJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\nss\softokn3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\npf.sysJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\Windows Provisioning.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\nss\freebl3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\windows_hook.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Windows\SysWOW64\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssdbm3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows Provisioning\get_drop_files.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeDropped PE file which has not been started: C:\Windows\SysWOW64\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-11406
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeAPI coverage: 4.1 %
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeAPI coverage: 8.6 %
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_009FD380 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetLastError,2_2_009FD380
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_00406313 FindFirstFileA,FindClose,3_2_00406313
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_004057D8
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeCode function: 3_2_00402765 FindFirstFileA,3_2_00402765
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005C6A90 GetLastError,WTSQueryUserToken,SHGetFolderPathW,CloseHandle,GetLastError,SHGetSpecialFolderPathW,FindFirstFileW,_stat64i32,FindNextFileW,GetLastError,FindClose,GetLastError,4_2_005C6A90
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005BAA30 GetFileAttributesA,FindFirstFileA,FindNextFileA,remove,FindNextFileA,FindClose,GetLastError,4_2_005BAA30
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005BA790 Sleep,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetLastError,4_2_005BA790
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C687A00 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,9_2_6C687A00
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C655780 _memset,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,9_2_6C655780
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C655ED0 _memset,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,ExpandEnvironmentStringsW,Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception,FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,FindClose,EnterCriticalSection,LeaveCriticalSection,9_2_6C655ED0
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006A0910 GetSystemInfo,8_2_006A0910
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\
Source: antivirus_detector.exe, 00000002.00000002.4459215588.00000000012A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8Nv
Source: rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: antivirus_detector.exe, 00000002.00000002.4460394106.000000000484F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: antivirus_detector.exe, 00000002.00000002.4460394106.000000000484F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: nt_system_service.exe, 00000009.00000002.4460150594.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.4458104055.000001B7C5F68000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2205048101.0000000001167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\5006_2.6.2.exeAPI call chain: ExitProcess graph end nodegraph_0-3120
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exeAPI call chain: ExitProcess graph end nodegraph_3-3172
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A06647 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A06647
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6E9F71 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,9_2_6C6E9F71
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_00682CE0 memset,_stat64i32,_CxxThrowException,new,GetModuleHandleA,GetProcAddress,GetLastError,GetLastError,LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,8_2_00682CE0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_009846E0 GetProcessHeap,HeapFree,9_2_009846E0
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A06154 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00A06154
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A06647 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A06647
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A067D9 SetUnhandledExceptionFilter,2_2_00A067D9
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CE2E3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_005CE2E3
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CEA95 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_005CEA95
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeCode function: 4_2_005CEC27 SetUnhandledExceptionFilter,4_2_005CEC27
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: 5_2_006ADD27 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_006ADD27
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: 5_2_006ADE86 SetUnhandledExceptionFilter,5_2_006ADE86
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeCode function: 5_2_006AD744 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_006AD744
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00814B9B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00814B9B
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_008143F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_008143F1
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeCode function: 7_2_00814CFA SetUnhandledExceptionFilter,7_2_00814CFA
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F93B7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_006F93B7
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F9516 SetUnhandledExceptionFilter,8_2_006F9516
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_006F8CE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_006F8CE4
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA1B25B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6BA1B25B
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA1B4D2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6BA1B4D2
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA8239A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6BA8239A
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097F7E1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0097F7E1
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097F9E0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0097F9E0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_6C6D02C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_6C6D02C0
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 119.8.47.97 443
Installs a global get message hook
Source: C:\Windows\SysWOW64\rundll32.exeWindows user hook set: 0 get message C:\Program Files (x86)\Windows Provisioning\windows_hook.dll
Source: C:\Windows\System32\rundll32.exeWindows user hook set: 0 get message C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeProcess created: C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1Jump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097E650 CreateEventW,ConvertStringSecurityDescriptorToSecurityDescriptorW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,LocalFree,CloseHandle,9_2_0097E650
Source: rundll32.exe, 0000000A.00000002.4458563035.0000000000A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8+kProgram Manager
Source: rundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A0649D cpuid 2_2_00A0649D
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,9_2_6C6DA4FC
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,9_2_6C6EA2ED
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Provisioning\version.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Provisioning\version.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\get_drop_files.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\get_drop_files.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\get_drop_files.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\get_drop_files.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Windows\SysWOW64\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\post_install.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\post_install.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\Packet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\wpcap.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\pthreadVC.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\System32\drivers\npf.sys VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\System32\Packet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\System32\wpcap.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoCrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoFoundation.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoJSON.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoNet.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoNetSSL.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoUtil.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\PocoXML.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\libcrypto.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Windows\SysWOW64\libssl.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\configurations.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\app_data\configurations.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\app_data\configurations.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\configurations.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nss3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\smime3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\libs\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\gutype.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\gutype.dat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeQueries volume information: C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_0097E650 CreateEventW,ConvertStringSecurityDescriptorToSecurityDescriptorW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,LocalFree,CloseHandle,9_2_0097E650
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeCode function: 2_2_00A0688B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00A0688B
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_0068A2B0 GetUserNameW,8_2_0068A2B0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_008B2C30 GetTimeZoneInformation,memset,memset,9_2_008B2C30
Source: C:\Users\user\Desktop\5006_2.6.2.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Overwrites Mozilla Firefox settings
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: antivirus_detector.exe, 00000002.00000003.2056640258.000000000128F000.00000004.00000020.00020000.00000000.sdmp, antivirus_detector.exe, 00000002.00000002.4459215588.0000000001262000.00000004.00000020.00020000.00000000.sdmp, antivirus_detector.exe, 00000002.00000003.2056668872.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF\key4.db-journal
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF\cert9.db
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF\pkcs11.txt
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF\cert9.db-journal
Source: C:\Program Files (x86)\Windows Provisioning\nss\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF\key4.db
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA53980 ?removeEventListener@EventDispatcher@XML@Poco@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAVEventListener@23@_N@Z,8_2_6BA53980
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA46F80 ?removeEventListener@AbstractNode@XML@Poco@@UAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAVEventListener@23@_N@Z,?removeEventListener@EventDispatcher@XML@Poco@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAVEventListener@23@_N@Z,8_2_6BA46F80
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA53C70 ??1EventListener@XML@Poco@@MAE@XZ,8_2_6BA53C70
Source: C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exeCode function: 8_2_6BA533F0 ??0EventListener@XML@Poco@@QAE@ABV012@@Z,8_2_6BA533F0
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00972F20 bind,WSAGetLastError,connect,9_2_00972F20
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00971380 WSASocketW,setsockopt,htonl,bind,getsockname,htonl,htonl,htonl,listen,WSASocketW,connect,ioctlsocket,setsockopt,ioctlsocket,setsockopt,9_2_00971380
Source: C:\Program Files (x86)\Windows Provisioning\nt_system_service.exeCode function: 9_2_00977990 setsockopt,bind,listen,9_2_00977990

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		31
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
Valid Accounts		1
Valid Accounts		1
Deobfuscate/Decode Files or Information		2
Network Sniffing		1
Account Discovery		Remote Desktop Protocol1
Browser Session Hijacking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Command and Scripting Interpreter		24
Windows Service		11
Access Token Manipulation		3
Obfuscated Files or Information		31
Credential API Hooking		3
File and Directory Discovery		SMB/Windows Admin Shares1
Data from Local System		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts12
Service Execution		Login Hook24
Windows Service		1
Install Root Certificate		NTDS2
Network Sniffing		Distributed Component Object Model31
Credential API Hooking		3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script113
Process Injection		1
Software Packing		LSA Secrets47
System Information Discovery		SSH1
Clipboard Data		Fallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials61
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
Rootkit		Proc Filesystem3
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt32
Masquerading		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Valid Accounts		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Virtualization/Sandbox Evasion		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
Access Token Manipulation		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers113
Process Injection		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
Hidden Files and Directories		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
Rundll32		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1412313 Sample: 5006_2.6.2.exe Startdate: 20/03/2024 Architecture: WINDOWS Score: 54 60 push.mobilefonex.com 2->60 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: System File Execution Location Anomaly 2->66 68 Hooks winsocket function (used for sniffing or altering network traffic) 2->68 70 3 other signatures 2->70 9 5006_2.6.2.exe 15 2->9         started        12 nt_system_service.exe 2->12         started        15 svcAppInit.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 44 C:\Users\user\AppData\...\main_installer.exe, PE32 9->44 dropped 46 C:\Users\user\...\antivirus_detector.exe, PE32 9->46 dropped 48 C:\Windows\SysWOW64\msvcr110.dll, PE32 9->48 dropped 19 antivirus_detector.exe 1 2 9->19         started        50 C:\Users\user\AppData\Roaming\...\prefs.js, data 12->50 dropped 84 Installs new ROOT certificates 12->84 86 Overwrites Mozilla Firefox settings 12->86 88 Tries to harvest and steal browser information (history, passwords, etc) 12->88 22 certutil.exe 12->22         started        25 rundll32.exe 15->25         started        28 rundll32.exe 15->28         started        signatures6 process7 dnsIp8 72 Deletes itself after installation 19->72 30 main_installer.exe 1 113 19->30         started        36 C:\Users\user\AppData\...\key4.db-journal, SQLite 22->36 dropped 38 C:\Users\user\AppData\Roaming\...\key4.db, SQLite 22->38 dropped 40 C:\Users\user\AppData\...\cert9.db-journal, SQLite 22->40 dropped 42 C:\Users\user\AppData\Roaming\...\cert9.db, SQLite 22->42 dropped 74 Overwrites Mozilla Firefox settings 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 62 push.mobilefonex.com 119.8.47.97, 443, 49712, 49713 HWCLOUDS-AS-APHUAWEICLOUDSHK Singapore 25->62 78 System process connects to network (likely due to code injection or exploit) 25->78 80 Installs a global get message hook 25->80 82 Installs a global event hook (focus changed) 25->82 file9 signatures10 process11 file12 52 C:\...\windows_hook_64.dll, PE32+ 30->52 dropped 54 C:\Program Files (x86)\...\windows_hook.dll, PE32 30->54 dropped 56 C:\...\nt_system_service.exe, PE32 30->56 dropped 58 82 other files (1 malicious) 30->58 dropped 90 Sample is not signed and drops a device driver 30->90 92 Install WinpCap (used to filter network traffic) 30->92 34 post_install.exe 5 30->34         started        signatures13 process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\Packet.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\Packet.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\libeay32.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\libeay32.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\libssl.dll0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\libssl.dll0%VirustotalBrowse
C:\Program Files (x86)\Windows Provisioning\libs\npf.sys0%ReversingLabs
C:\Program Files (x86)\Windows Provisioning\libs\npf.sys0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
push.mobilefonex.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://x1.c.lencr.org/00%URL Reputationsafe
http://x1.i.lencr.org/00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
http://html4/loose.dtd0%Avira URL Cloudsafe
https://push.mobilefonex.comc0%Avira URL Cloudsafe
https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.htmlhttps://port0%Avira URL Cloudsafe
https://bridge.sfo1.ap01.nXnm0%Avira URL Cloudsafe
http://www.appinf.com/features/enable-partial-reads0%Avira URL Cloudsafe
https://portal.mobilebackup.biz/help/en/install/pc/common-anti-virus-program-instructions-for-adding0%Avira URL Cloudsafe
http://.css0%Avira URL Cloudsafe
http://client.mobilefonex.com/gateway0%Avira URL Cloudsafe
http://client.mobilefonex.com/gateway/unstructureda0%Avira URL Cloudsafe
https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.htmlhttps://port2%VirustotalBrowse
http://www.appinf.com/features/enable-partial-readsCannot0%Avira URL Cloudsafe
http://www.appinf.com/features/enable-partial-readsent-contentJ0%Avira URL Cloudsafe
http://www.appinf.com/features/enable-partial-reads0%VirustotalBrowse
http://.jpg0%Avira URL Cloudsafe
http://client.mobilefonex.com/gateway/unstructured0%Avira URL Cloudsafe
http://www.appinf.com/features/no-whitespace-in-element-content0%Avira URL Cloudsafe
https://push.mobilefonex.com/?encoding=utf80%Avira URL Cloudsafe
http://www.appinf.com/features/enable-partial-readsCannot0%VirustotalBrowse
http://www.appinf.com/features/enable-partial-readsent-contentJ0%VirustotalBrowse
https://imp.mt48.net/static?id=7RHzfOIX0%Avira URL Cloudsafe
http://client.mobilefonex.com/gateway/unstructuredy0%Avira URL Cloudsafe
http://client.mobilefonex.com/gateway0%VirustotalBrowse
http://client.mobilefonex.com/gateway/unstructured0%VirustotalBrowse
http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
https://push.mobilefonex.com0%Avira URL Cloudsafe
http://client.mobilefonex.com/gatewayV0%Avira URL Cloudsafe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs0%Avira URL Cloudsafe
https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.html0%Avira URL Cloudsafe
http://www.appinf.com/features/no-whitespace-in-element-content0%VirustotalBrowse
http://www.appinf.com/features/no-whitespace-in-element-contentS0%Avira URL Cloudsafe
https://push.mobilefonex.com0%VirustotalBrowse
http://www.appinf.com/features/no-whitespace-in-element-contentS0%VirustotalBrowse
https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.html0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
push.mobilefonex.com
119.8.47.97
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://push.mobilefonex.com/?encoding=utf8true
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdnt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpfalse
  • Avira URL Cloud: safe
low
http://www.appinf.com/features/enable-partial-readssvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://push.mobilefonex.comcsvcAppLookup.exe, 00000008.00000002.4458821210.0000000001285000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.htmlhttps://portantivirus_detector.exe, 00000002.00000000.1990976682.0000000000A0A000.00000002.00000001.01000000.00000004.sdmp, antivirus_detector.exe, 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://bridge.sfo1.ap01.nXnmnt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.openssl.org/VsvcAppLookup.exe, 00000008.00000002.4462048125.000000006BCB7000.00000002.00000001.01000000.00000018.sdmp, svcAppLookup.exe, 00000008.00000002.4462749493.000000006BDBD000.00000002.00000001.01000000.00000015.sdmp, rundll32.exe, 0000000A.00000002.4465966699.000000006BCB7000.00000002.00000001.01000000.00000018.sdmp, rundll32.exe, 0000000A.00000002.4466342443.000000006BDBD000.00000002.00000001.01000000.00000015.sdmp, libeay32.dll0.3.drfalse
    		high
    http://xml.org/sax/features/namespaces&rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://portal.mobilebackup.biz/help/en/install/pc/common-anti-virus-program-instructions-for-addingantivirus_detector.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprnglibeay32.dll0.3.dr, libeay32.dll.3.drfalse
        		high
        http://xml.org/sax/features/string-interningGsvcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://xml.org/sax/features/namespace-prefixessvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
            		high
            http://.cssnt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://xml.org/sax/features/validationXsvcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://xml.org/sax/features/string-interningsvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                		high
                http://xml.org/sax/features/external-parameter-entitiessvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                  		high
                  http://www.openssl.org/support/faq.htmllibeay32.dll0.3.dr, libeay32.dll.3.drfalse
                    		high
                    http://xml.org/sax/features/namespace-prefixes3svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://client.mobilefonex.com/gatewayrundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.thawte.com/ThawteTimestampingCA.crl0main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpfalse
                        		high
                        http://x1.c.lencr.org/0certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://x1.i.lencr.org/0certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://client.mobilefonex.com/gateway/unstructuredarundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&rent_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.appinf.com/features/enable-partial-readsCannotsvcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, PocoXML.dll0.3.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.appinf.com/features/enable-partial-readsent-contentJrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://.jpgnt_system_service.exe, 00000009.00000002.4463173082.000000006C90B000.00000002.00000001.01000000.00000010.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://client.mobilefonex.com/gateway/unstructuredrundll32.exe, 0000000A.00000002.4459759875.000000000488A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://xml.org/sax/properties/lexical-handlerQrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.appinf.com/features/no-whitespace-in-element-contentPocoXML.dll0.3.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.openssl.org/docs/faq.htmlrundll32.exe, 0000000A.00000002.4465825694.000000006BC6F000.00000002.00000001.01000000.00000018.sdmpfalse
                              		high
                              http://xml.org/sax/features/external-general-entitiessvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                                		high
                                http://ocsp.thawte.com0main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://xml.org/sax/features/external-general-entitiesnrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://xml.org/sax/features/namespacessvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                                    		high
                                    http://crl.rootca1.amazontrust.com/rootca1.crl0certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://imp.mt48.net/static?id=7RHzfOIXnt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://client.mobilefonex.com/gateway/unstructuredyrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.rootca1.amazontrust.com0:certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://push.mobilefonex.comrundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4459759875.0000000004845000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://nsis.sf.net/NSIS_ErrorError5006_2.6.2.exefalse
                                      		high
                                      http://maps.google.com/?q=svcAppInit.dll0.3.drfalse
                                        		high
                                        http://client.mobilefonex.com/gatewayVrundll32.exe, 0000000A.00000002.4458563035.00000000009AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://developers.google.com/protocol-buffers/rundll32.exe, 0000000A.00000002.4464252813.000000006AA02000.00000002.00000001.01000000.0000001D.sdmp, libprotobuf-lite.dll0.3.drfalse
                                          		high
                                          http://nsis.sf.net/NSIS_Errormain_installer.exe, main_installer.exe, 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmp, main_installer.exe, 00000003.00000000.2085500259.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 5006_2.6.2.exefalse
                                            		high
                                            http://xml.org/sax/features/namespace-prefixesxrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://xml.org/sax/properties/declaration-handlersvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000121A000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                                                		high
                                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgnt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVsnt_system_service.exe, 00000009.00000002.4460150594.00000000013D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?certutil.exe, 0000000C.00000003.2199415266.00000000022DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2201853866.00000000022EB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000003.2203013749.0000000001C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://xml.org/sax/features/validationsvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                                                    		high
                                                    https://portal.mobilebackup.biz/help/en/install/pc/configure-exclusions-for-windows.htmlantivirus_detector.exefalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.appinf.com/features/no-whitespace-in-element-contentSrundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://xml.org/sax/properties/lexical-handlersvcAppLookup.exe, svcAppLookup.exe, 00000008.00000002.4458821210.000000000126C000.00000004.00000020.00020000.00000000.sdmp, svcAppLookup.exe, 00000008.00000002.4461246118.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4465587996.000000006BA87000.00000002.00000001.01000000.00000019.sdmp, rundll32.exe, 0000000A.00000002.4458563035.000000000097A000.00000004.00000020.00020000.00000000.sdmp, PocoXML.dll0.3.drfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      119.8.47.97
                                                      		push.mobilefonex.comSingapore
                                                      		136907HWCLOUDS-AS-APHUAWEICLOUDSHKtrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1412313
                                                      Start date and time:2024-03-20 11:49:11 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 12m 43s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:5006_2.6.2.exe
                                                      Detection:MAL
                                                      Classification:mal54.phis.bank.adwa.spyw.evad.winEXE@17/121@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 171
                                                      • Number of non-executed functions: 193
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240s for rundll32

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      11:50:16API Interceptor1x Sleep call for process: post_install.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      119.8.47.97android.apkGet hashmaliciousUnknownBrowse
                                                        android.apkGet hashmaliciousUnknownBrowse

                                                          Domains

                                                          No context

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          HWCLOUDS-AS-APHUAWEICLOUDSHKocs-office.exeGet hashmaliciousUnknownBrowse
                                                          • 119.8.87.215
                                                          5WTG6N45CH.elfGet hashmaliciousMiraiBrowse
                                                          • 159.138.222.4
                                                          aA8sPbK4EG.elfGet hashmaliciousMoobotBrowse
                                                          • 119.8.64.12
                                                          zpIXM3FqqH.elfGet hashmaliciousMiraiBrowse
                                                          • 119.8.39.77
                                                          huhu.arm5-20240212-0910.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 119.8.40.42
                                                          https://kso.page.link/wpsGet hashmaliciousUnknownBrowse
                                                          • 114.119.189.26
                                                          skyljne.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 119.8.88.17
                                                          TqA3GrJsfl.elfGet hashmaliciousMiraiBrowse
                                                          • 119.10.40.126
                                                          https://us.docs.wps.com/module/common/loadplatform?sa=16&st=0t&sid=sicb8ypvckj3kqqy&v=v2Get hashmaliciousUnknownBrowse
                                                          • 159.138.103.235
                                                          xd.arm.elfGet hashmaliciousMiraiBrowse
                                                          • 159.139.52.126

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Program Files (x86)\Windows Provisioning\libs\Packet.dllhttps://www.winpcap.org/install/default.htmGet hashmaliciousUnknownBrowse
                                                            Je7wwdubnQ.exeGet hashmaliciousPrivateLoaderBrowse
                                                              https://dl.weintek.com/EBPro/Installer/EBproV60801350.zipGet hashmaliciousUnknownBrowse
                                                                ywvz5i8kT9.exeGet hashmaliciousUnknownBrowse
                                                                  vcredist_2010.exeGet hashmaliciousUnknownBrowse
                                                                    vcredist_2010(1).exeGet hashmaliciousUnknownBrowse
                                                                      v.exeGet hashmaliciousUnknownBrowse
                                                                        okIQd4f03Z.exeGet hashmaliciousUnknownBrowse

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\Windows Provisioning\ProtocolFilters.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3825664
                                                                          Entropy (8bit):6.807627061589882
                                                                          Encrypted:false
                                                                          SSDEEP:49152:Wh0gMp73LnCRWdDnAdGJS7jgrHls8v9udNgdJ0TDMQtzASPrxqTAqBSXbKUJow:gMt3LnU47A48IrHK8v92NYQ66
                                                                          MD5:043AD966D71FA7E4821AAD0597F76575
                                                                          SHA1:19B59EF247DFE026074F53AF45B97E3D03106F9A
                                                                          SHA-256:3316A4E7CB195346D89369D9B2C6DD17559E09ADA31DB1B40989A4388D4872E3
                                                                          SHA-512:9678368E1FF25668C8DAC7175CFB993A63805EC14115D7141659D0D949113FC044A469B764C60BA091318BAE674068009FCAF1035758175E3675A3CAB6DA7472
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Reputation:low
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.rc~g.0~g.0~g.0~g.0fg.0...0xg.0...0\g.0...06g.0...0.g.0~g.0.g.0...0sg.0]..0\d.0]..0Ug.0...0.g.0...0.g.0...0.g.0Rich~g.0................PE..L......d...........!......+.........R.........+...............................:...........@...........................7.&.....7.......8.p.....................8.,.....+.8...........................P.6.@.............+..............................text....+.......+................. ..`.rdata..6.....+.......+.............@..@.data...`.....7.......7.............@....rsrc...p.....8......h8.............@..@.reloc........8......l8.............@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\Windows Provisioning.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):112128
                                                                          Entropy (8bit):5.990046438461227
                                                                          Encrypted:false
                                                                          SSDEEP:3072:IAtQBF1id2yPE29M3E+05UEl1NotPVEe:IA+82Yed05UEl8FV
                                                                          MD5:548036F96AC135024FF7C53F0358C1E8
                                                                          SHA1:8ECD85A5372F4AEABA5F2599EB3064EDE1938606
                                                                          SHA-256:42BF844B41C70DDFF4BDC0C42164CC5BC730B333444C6232953774FC56136D25
                                                                          SHA-512:9BFCD1C6951C3CE1C24C93A14D2A601B489A47E2A810B5E05E9EC458934FBBF5BEE3106626906FC30CB1FB642A5DD32E7D12787D307A9B3F7383816B8D73D196
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I.R.(...(...(...P ..(...v...(...v...(...v...(...v...(....x..(...(...(..Mv...(..HvL..(...($..(..Mv...(..Rich.(..........................PE..L...hZ.e..................................... ....@.......................................@..................................%.......P..`.......................L....!..p............................"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....gfids.. ....@....... ..............@..@.rsrc...`....P......."..............@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\cfg_tmp.xml

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3914
                                                                          Entropy (8bit):4.082468935947237
                                                                          Encrypted:false
                                                                          SSDEEP:48:3kEGCp3zaGCD3rGCD30Y4MClATKr43it1S6D3v:UETp3zaTD3rTD3lveAG0ie6D3v
                                                                          MD5:D5B737AA65B724174DD84D632C253283
                                                                          SHA1:EB2A88BB8F4781960BD05357B8D79F1248EC26DC
                                                                          SHA-256:8AD57696ED5E5CF422BAF5A21AA3738103FCE8269BAE5C605313CB14FBCCA535
                                                                          SHA-512:B5E2E99910E836C7F76F51756FFBB5E9AC406D64974435C038B6FE2270ED6815BEA03495CC8FCC94707E458E37765181393DAB30CBBA583D7F78B590C372760F
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configurations date="11/10/2023 13:42:14" pid="5006">.. <configuration id="-1">.. <features />.. <remote_commands>.. <cmd id="92">.. <settings>.. <setting id="76" />.. </settings>.. </cmd>.. <cmd id="147" />.. <cmd id="148" />.. <cmd id="149" />.. <cmd id="200" />.. <cmd id="226" />.. <cmd id="400" />.. <cmd id="401" />.. <cmd id="404" />.. <cmd id="14144" />.. <cmd id="14587" />.. </remote_commands>.. </configuration>.. <configuration id="-2">.. <features />.. <remote_commands>.. <cmd id="2" />.. <cmd id="92">.. <settings>.. <setting id="76" />.. </settings>.. </cmd>.. <cmd id="147" />.. <cmd id="148" />.. <cmd id="149" />.. <cmd id="200" />.. <cmd id="226" />.. <cmd id="400" />.. <cmd id="401" />.. <cmd id="404" />.. <cmd id="14142" />.. <cmd id="14587" /

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\configurations.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):3920
                                                                          Entropy (8bit):7.948224416130811
                                                                          Encrypted:false
                                                                          SSDEEP:96:C5n4zBDEo17hoeYkmElrYsF7Zf7W+h6d/bDgcYohEWgctH:C5n4FDJhoHAb71C/dYcphbPtH
                                                                          MD5:F8927576A49A96D59413C1BC6ED58A33
                                                                          SHA1:BF961F9797E3A2D4165F39438858CB896F413A46
                                                                          SHA-256:B625A8694B4E4D3E360BD153C30DE8851567187F179E988B077AE6F36D2DF5CC
                                                                          SHA-512:2337FDDD87B4F94E2FF265C8EA32ACF9E9103FCF263E4D5F0DFFD08DC5329CEC16332EA93F8E796D29E19DAAF933DF6FAECE73C191D0CB92261FB29B5516CFCB
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:..H..U.F|.\..5.\<....0.d...b>..C..P...7Tw...lc.......f_9h|k..)?...n..H`4...*.pPti..d*..e..Xm......+e....`.ct...rp.,q3.5i.._..c.j....w0..25.:.x.9..E<:D.].Maa.....Bf...n&......J..k...@E.JA.....T..m..K.......2..1.....I0.6r.K...fX.+..g..s......F..B.....p.z$..ru..d....WY.V....\.....G.....j..5S..`.m.u.F.,....k......L....R..\.."..?R..z...._[....L.@+..........g....,.RT0....|oD..U...e..Ed.>....h.u$...n.-..h.........xU;./g.p.......U.S....-..L...y..O.K..<#._j4U.{x....0T.....gS.......i.L.B.SE.|.s.......DU-....p.1.3|jB.e..K._.OG..D.......u\...D...:..J...x-...D...Jl. .im.hz.....L.,.{.(.SG..(.k.}(cZ..z....C.Sf......0..2{4.....3......7..'...0.5,."Woc=`.Y.3..Rn5.S.`..fx..I_d.|V!w3.u..K..B......0...fT..c.....U...r.....z`.. ..I ...1..Wu2..;..(>..@..f...f.#..)..2........|.).....3u.d...&........:..X...~...l.(..._.;zf.Y...p...d.Ct....e......].u...5j.?.3..2.y2.Er.Y?....f.i.J..Xo.TA%O.6.}.....7.....&.6]Fy&<....9..O..\..g@_...8u..p...1h.n.....

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\ddmstore.db

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):1.5050212272099597
                                                                          Encrypted:false
                                                                          SSDEEP:12:HLiuWkK2TSFlyoR+7Fx9GgCWRKyqFokqoACh4:riuWR22Z+79GgCWR9Wqg
                                                                          MD5:2EEAF9E158F6311631319A26F9C0364B
                                                                          SHA1:251AC38DABCEE08D70A7C67C1A7DC70BF09E5D23
                                                                          SHA-256:0D9CF6E47F075A17269610364ACEF5F695AC756B29587B98CF4562930A44814B
                                                                          SHA-512:4CBEA29E335DAF36F2192D979ABDB2F86DAC7D7E28DA95CC82F107E5A94368DA1D1EEA708051C3450D27E38F6771F7EFAB12100AAF3E96325938B9982A5209FE
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:SQLite format 3......@ .........................................................................-.'......+..}.+...........................................................................................................................................................................................................................................................................................................................................................................................................................................................P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).........gtableddmddm.CREATE TABLE ddm (_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, caller_id INTEGER, cmd_id INTEGER, priority_request INTEGER, delivery_request_type INTEGER, csId INTEGER, ready_to_resume BOOLEAN, retry_count INTEGER, max_retry_count INTEGER, data_provider_type INTEGER, is_require_encryption INTEGER, is_require_compression INTEG

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\ddmstore.db-journal

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.28499812076190567
                                                                          Encrypted:false
                                                                          SSDEEP:3:7FEG2l/eO/Hlxll:7+/l/N
                                                                          MD5:7251CD0E49FFAD27B66AD762FA37848D
                                                                          SHA1:F96A0508B6DC44F625B699820D59C3DF5E369185
                                                                          SHA-256:3C896A2F3224BD103FC69722060D6F668DAD8F32A424F899AA7836383ED390EE
                                                                          SHA-512:A7299F297D5F50BFA0A15DB27AC31F6D7712E847444858283D7A764B37C027634B2B026470269BD3EA3023A77C6ED7F20D3FAB08892C087F7E33CDEA568CD3C1
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:.... .c.......V.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\de_netfilter\SSL\DigiCert SHA2 Extended Validation Server CA 3.cer

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:Certificate, Version=3
                                                                          Category:dropped
                                                                          Size (bytes):830
                                                                          Entropy (8bit):7.4018997881528765
                                                                          Encrypted:false
                                                                          SSDEEP:24:pEqbCsPw0qbCst7NVM+uAR2CPxAoyG7G4WF:asCWNsCQN2DAR2CPOxIGLF
                                                                          MD5:352FAD67617A81520B7E98AAC865F70D
                                                                          SHA1:80C410E174EDD8983D7ED0379677E2550BAF8511
                                                                          SHA-256:3354D8B378827219893C2E1C9C0D32021BC3ADC494D1D0FE385952F52DEF6A4B
                                                                          SHA-512:D57F124D15F7D88F1DB13421418937E525859C998333DEED8A2EE4EBB9FAD5D04710F8FBC536C2F52D33C76AE2C69A7C49E58E25FAE4040CDB6AFB45085820BD
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:0..:0.."..........&Z....w.=Y..II0...*.H........0E1.0...U....EN1604..U...-DigiCert SHA2 Extended Validation Server CA 30 ..040325105017Z..20640310105017Z0E1.0...U....EN1604..U...-DigiCert SHA2 Extended Validation Server CA 30.."0...*.H.............0............q.EN....a.k.,:..H.L.d1".{q.a..Z$^l3'..\....!..4.9..M..d....3V11,.p...&Q1.^T.c/Q..d.p%...7..rX0...W@...`.{l..|...2r......'X.*.o.8....B...7.k.K.R.I.7..\SL..u.C.(..,.9..sFK.....s....}[...........w.s...&qrr9.....I..Q......a|..,.j.....u.!........#0!0...U.......0....0...U...........0...*.H..............^...T?...5Q..A4.3.A._.8..'..e...*..gU...f...b.C.t.l-|..[. ..f.6$...AC..O.X./,z;.........J1;..[F..B.....`p.D~`r......I~~..=9..Cb.>.k..w............Y.l..N....N..15J..~:.B../.W...L.q.2..N..._...=._...+~.{.'.h0;..E.1.r..}..\.%.|:....YK7*.I..

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\de_netfilter\SSL\cert.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:Applesoft BASIC program data, first line number 45
                                                                          Category:dropped
                                                                          Size (bytes):2093
                                                                          Entropy (8bit):7.888828784909139
                                                                          Encrypted:false
                                                                          SSDEEP:24:/Rel4w1bApKvhcRS94F/5UlFAaYhFf9kOEvlNGAmKtSrIXqHFzw+Eie+p+SwuaQz:/8l96pGz94F/5Iwxq9Sr/H9JEiJp+wnz
                                                                          MD5:6A9E1E692A2BB6AEEB201564B9360880
                                                                          SHA1:CCA9C2F8038777D207809FE722BDE6BE3B03CEF8
                                                                          SHA-256:A92D75583EEA6101634E30981870E7C8C56E56AF1F2A7B0BCD704B29983959DF
                                                                          SHA-512:53B36B3FB1B21146B370B6032B6782EE45DF430E30A17C38B8CDE8E38AAF8A6C24600B275987083529BFFE2816086305CADF4028E291CC000519F227F2B8C2C6
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:-.-.>...........digicert sha2 extended validation server ca 3.-..s.Z....$.....s..J..<..}..C...q..o..<....X...T.w../.czX1.6. .D.)p....9z&.u..d....=..y.v.q.G.4$.yw.......tTk.=.n.@.........H.J......I.i......mJM..r{...m..jp.^..$...Q.U..u..&..cgy..>.[...F...h.J.^.t.&..,*...oj.%.j..b.6SfLG..{..O.......D....j.....3(.fu.R. .....%..Ot.$.;=.d'.,.V.x.%.N.\..em..|.qW..;e...K..gC0L.)O...X.<fi.Y..D...$...6..i....a..."...Y5..+.7j.-...|.@.r.b......k'..B..g...s...+4+.n....%.....|y.....`.;.+.......v..\..).5.4.5.<.MFP...{m;.gi......#.....c..{..1[......H6R..(`{..m..s.....bA.zD...J.KI\.n.*<<.Q..o_3...tF.&......i...r...Q.gX5(...u..SW...X.@..l..ep&.nA..9..'...r:r.Q...0.....X......z!...d...!.b...."PV7s.....-...3K.y..Z-.e.d.7..s..8.w./..iu1..r.W.~U....q..r..@.M.w..Z%.$.|.n.\.v.x3.U,.'.[..R.C.[d1_.mP.5Y#Q=.0.eEX.Eh.D..7f....?.....o.gx..T7.l...i<.J........NH...w.{5ra.UJ./..."..!>.{.<...$${...=!.$_.....q..........7.........W..8sZ..-.?J.....II......~.P..%,..j[F...}...W.

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\phoenix_db.db

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 3, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                          Category:dropped
                                                                          Size (bytes):7168
                                                                          Entropy (8bit):2.4492424966568014
                                                                          Encrypted:false
                                                                          SSDEEP:48:Qx2BS0AMrXGPTox2BS0AMrXGPTv2DHny3:ZAi2LBAi2L3
                                                                          MD5:9798AFE5FA7E3D46472B3E5AAA8AEA11
                                                                          SHA1:40F3F986F9ACF936104A06C20F44BBFE3822087B
                                                                          SHA-256:45DCD3DF48218D9A953476B780C085D84A0F0CEB384C56EBEBE751B5603F3E7E
                                                                          SHA-512:AF66782033789EB5D1101937384419FF0BFF5F8126F34862549FFEEB3E86628C475C43AF3F982B04AC822095B948AD0E259EFAB9EF0AB06C1F612FDABC427EE5
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:SQLite format 3......@ .........................................................................-.'.................................................................................................................))..Ctablecsid_generatorcsid_generator.CREATE TABLE csid_generator (BASE_ID INTEGER PRIMARY KEY AUTOINCREMENT,latest_csid INTEGER)P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).T...++.._tablephoenix_sessionphoenix_session.CREATE TABLE phoenix_session (BASE_ID INTEGER PRIMARY KEY AUTOINCREMENT,csid INTEGER,ready_flag INTEGER, payload_path TEXT, payload_size INTEGER, payload_crc INTEGER, public_key BLOB, ssid INTEGER, aes_key BLOB, protocol_version INTEGER, product_id INTEGER, product_version TEXT, config_id INTEGER, device_id TEXT, activate_code TEXT, language INTEGER, phone_number TEXT, mcc TEXT, mnc TEXT, imsi TEXT, host_url TEXT, encrypt_code INTEGER, compress_code INTEGER, has_virtual_payload INTEGER, virtual_payload_attributes BLOB, conn

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\phoenix_db.db-journal

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):1544
                                                                          Entropy (8bit):4.014400059384823
                                                                          Encrypted:false
                                                                          SSDEEP:12:7+t1l/+LCgXc7LEr9XhTSFlyy+WFAVb9XQW2eaNbC3EL8MrRXFLsrPdR4a1Kw3ta:7+t1Z8LcMRXh2lrSbLUAMrXLKP7P1J2F
                                                                          MD5:693721DB697E121AD5FFDBB5ADEA39BD
                                                                          SHA1:B63CEDA6A7092ABBF00CCFC6013A8D0DDAF7464A
                                                                          SHA-256:0D628F06C915CF720484AFF8526274FCEC8AAAD609F0071057721001AED444F6
                                                                          SHA-512:08EFA78E4F0224AA82FC5DFF87D220DF9E829F1099B1F982314F201E9F982D8CC23C1E8D60B1E71D0A7C9B281F7C8EE11FC4A13BBBCBF54657FF6D83F7890374
                                                                          Malicious:false
                                                                          Preview:.... .c......6m.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-.'...........W.....................................................................................................))..Ctablecsid_generatorcsid_generator.CREATE TABLE csid_generator (BASE_ID INTEGER PRIMARY KEY AUTOINCREMENT,latest_csid INTEGER)P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).T...++.._tablephoenix_sessionphoenix_session.CREATE TABLE

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\rmt_cmd_store.db

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):1.1227230499255765
                                                                          Encrypted:false
                                                                          SSDEEP:12:HLiuWk7OTSFlyni3RoVFsTf9L7eHjvwJ:riuWH2Ke5Lgjvw
                                                                          MD5:64A6263D9211AB255F7D6215D8F7A1F7
                                                                          SHA1:95FD726F22DB37D364D4308FCA5A4F4927C8881B
                                                                          SHA-256:B62D1108B9A20B63F0CA6DC63ACF14D0DA9D4323C5E055780E32B27A65420B8F
                                                                          SHA-512:115F23302530485C93F91DC5A730A194129A4759CBF3F0450EFB9473CFA830C325A426F7346E647058CA9D68EDD3BEBE0B5EFACEBA17E3206BC90ABE2F56199E
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .........................................................................-.'.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).`...%%...tablermt_cmd_datarmt_cmd_data.CREATE TABLE rmt_cmd_data (id INTEGER PRIMARY KEY AUTOINCREMENT, cmd_code TEXT, is_reply_msg INTEGER, sender TEXT, rmt_cmd_type INTEGER, arguments BLOB, retry_coun

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\rmt_cmd_store.db-journal

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.28499812076190567
                                                                          Encrypted:false
                                                                          SSDEEP:3:7FEG2l/20Xu//lxll:7+/l/b
                                                                          MD5:3077B14B100C4120D6FAC1187681C31E
                                                                          SHA1:1EB9F368BD357D2CF16640B780580A39053E0524
                                                                          SHA-256:F4A544D227FE6BB207E814FF839C73313441A5BB48BFA248CFB3CD6F506E488F
                                                                          SHA-512:353EDF54CF558467E3BBD38B5B8A7517156CC57D900F87B98167E0987F0E2D8BC8B776A353BE065404C1B41970ECDE137FFA04DD1856E06D0A64B8C11ED2D0FF
                                                                          Malicious:false
                                                                          Preview:.... .c......Q..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\session_store.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):1.0219047859655728
                                                                          Encrypted:false
                                                                          SSDEEP:6:lpbNFlEuWk7IxjvATSFRxtLumV1WkQmLu44wQeL9CNf0An94M:HLiuWk+MTSFlyUWkQH44wXL9WMAnqM
                                                                          MD5:240D9CD103432E345E4ECE0F8001E178
                                                                          SHA1:B406F7E9F1C8CF28D86A2245A6DBD48404FAA92A
                                                                          SHA-256:E70010FBB6E4CDA6825D4C6A8381B3B8B1625953850DE73A2E029B79AD748B1D
                                                                          SHA-512:3A81AED6D08B36B3FA5555038B8D62133A81D2CECED3E132D277B02064193E5A2B1EA03A6737A49434A3176CC46DE3FDC9A2FAE61AB29333CBB3483924335036
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .........................................................................-.'.........>..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).?...--..1tablefx_session_storefx_session_store.CREATE TABLE fx_session_store (id INTEGER PRIMARY KEY AUTOINCREMENT, session_type INTEGER, session_user TEXT, session_doma

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\session_store.db-journal

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.28499812076190567
                                                                          Encrypted:false
                                                                          SSDEEP:3:7FEG2l/r9/Hlxll:7+/l/r9/
                                                                          MD5:4D11D30A7D74FDB160A0D61E63BFEA96
                                                                          SHA1:84314F76A6E9E3E67637FA0891AB44F93A7A3B1F
                                                                          SHA-256:26D4F3C4A1764F4E49183774AE5BE79663A59A3BEE79AF2D174E75CD4514C15C
                                                                          SHA-512:81CB1364C39F841DCEF483BFE028474EAE3673EE571BF204E63D4D43E05C36293C467E6EAC24C83B1F0FC848C1D68244A2E80526C8C7F269D99BF3D020E6D1FF
                                                                          Malicious:false
                                                                          Preview:.... .c.......+.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\version.txt

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):6
                                                                          Entropy (8bit):1.9182958340544893
                                                                          Encrypted:false
                                                                          SSDEEP:3:3jF:J
                                                                          MD5:DF4F0F1534FAA418D6185F67DAA63A7B
                                                                          SHA1:D1501DEAE95507919B30F2ADFA13EE822464CC92
                                                                          SHA-256:3CFDEC96C972680CABF7829616A54508CABCFC4FBF80AB160DCAD001322AF69F
                                                                          SHA-512:CF5493D53B591941C1123BF347DDDFC123196A94EB6B1685E32D37BF42FBBEAA8619AF5A6F73F0E1216951856C0C73D97F0DF221020EDC3F27E9CCCC424DEE62
                                                                          Malicious:false
                                                                          Preview:2.6.2

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\webmail_store.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):1.0165276862161985
                                                                          Encrypted:false
                                                                          SSDEEP:6:lpbNFlEuWk7aEvATSFRxtLumQBbfQhxgLu44ksl9v9Lr6l0u8td94M:HLiuWk27TSFlyjBbfQhH44ka9qMdqM
                                                                          MD5:B0C191CBBF25AF57721B05A8A24D2A7D
                                                                          SHA1:F9E30EA936FB1FCEA7DC0E224D8ADC624A22AF97
                                                                          SHA-256:CD45AB535008EF90AC3200B9F77DE92ED21BFDC8F4B44C9362404C7F33487B0F
                                                                          SHA-512:5EE806C86EF292C3869539605C78CB90FCAB0900856499B5DD0D6F25E83C2DCCF71E98363C6D71AFFAFBDEA862222D7879758B5A4D2D3D0FBDA8AA26636E25D6
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .........................................................................-.'.........E.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).8...''../tablefx_web_mail_2fx_web_mail_2.CREATE TABLE fx_web_mail_2 (id INTEGER PRIMARY KEY AUTOINCREMENT, email_provider INTEGER, email_id TEXT, email_direction

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\webmail_store.db-journal

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.28109187076190567
                                                                          Encrypted:false
                                                                          SSDEEP:3:7FEG2l/Yz1/lxll:7+/l/
                                                                          MD5:81A243FD14C0C38850FAE3DB117D5011
                                                                          SHA1:6703BAD3E87D121432E1834EE0A4CD5848E36E16
                                                                          SHA-256:0E3B9272AFF8BBF6DFDBD265E46F658CC886C1661D529C5FFAA705B57B434DCE
                                                                          SHA-512:CEDD7EBB3747892EA812CB18CA909A1DF0BD779F7B2CDC576C645F93857E15072004C9C52D683DC21E39C6AEE3EA124A1D45352A387C55FFC23416E498298C49
                                                                          Malicious:false
                                                                          Preview:.... .c......c.Y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\webmail_store_tmp.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                          Category:dropped
                                                                          Size (bytes):5120
                                                                          Entropy (8bit):1.4964238790692588
                                                                          Encrypted:false
                                                                          SSDEEP:24:r8izDYQGNwaDdktTylX0O2xbLSBU4Dj/OIY6:PYQ+RktTAEO2xWGwOv
                                                                          MD5:883E5AD1C04E47B9AD7F0C2D330323EB
                                                                          SHA1:5403AC901BF0D5280E0F29A95800FCF003B0C3EA
                                                                          SHA-256:72DA484A1E201CB2B1D8CCFEECA877A30BFF9448CDFF815896550306E1C7ADBF
                                                                          SHA-512:BA7F2AA110DBD4914E3ACBF44A2D5E09051F7606B32724EF17E4CA48E5ECF0D7FA1CBBE9FB32C3BA3F459809098F1EE66E5932AA6BC59597C139CE621F52C646
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .........................................................................-.'...........n...........................................................................................................................................F...%%..Otablefx_recipientfx_recipient.CREATE TABLE fx_recipient(Id INTEGER PRIMARY KEY AUTOINCREMENT,recipient_type INTEGER,recipient TEXT,recipient_contact_name TEXT,msg_type INTEGER,msg_id INTEGER).(...))...tablefx_attachment2fx_attachment2.CREATE TABLE fx_attachment2(id INTEGER PRIMARY KEY AUTOINCREMENT,full_path TEXT,msg_type INTEGER,msg_id INTEGER,file_name TEXT)P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).=...--..-tablefx_desktop_emailfx_desktop_email.CREATE TABLE fx_desktop_email(event_id INTEGER PRIMARY KEY AUTOINCREMENT,event_time TEXT,user_logon TEXT,app_id TEXT,app_name TEXT,app_title TEXT,direction INTEGER,service_type INTEGER,sender_email TEXT,sender_contact_name TEXT,subject TEXT,body TE

                                                                          C:\Program Files (x86)\Windows Provisioning\app_data\webmail_store_tmp.db-journal

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):1544
                                                                          Entropy (8bit):3.2093048920294227
                                                                          Encrypted:false
                                                                          SSDEEP:12:7+tE+LCUclUmlmF44R9xQ31X0OTSFly0Tr9h44Bd69BJu4JnkP8j/OpCJW6le:7+tE83mktTylX0O2xbLSBU4Dj/OIY60
                                                                          MD5:F526DDE2B1FEF72D7BDFE1D786EB7D75
                                                                          SHA1:3E88471A535C5DBF5A40156287AD427D05A46099
                                                                          SHA-256:4A35FB8F0A4E0D394A6A8249C65A0F20AD1992823C8E4DE235A2F4A50B27EB44
                                                                          SHA-512:12E447111681463F6D58E3FF3551683EB55B7B69ADD3B03447352D7D3CF1F9F4A727A25F5D90FD229F47849CA968D97C3F28F3254792A41EC41209C6BF1261C6
                                                                          Malicious:false
                                                                          Preview:.... .c......Z .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-.'...........n....................................................................................................................................................................................................................................................................................................................................................(...))...tablefx_attachment2fx_a

                                                                          C:\Program Files (x86)\Windows Provisioning\get_drop_files.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):19968
                                                                          Entropy (8bit):5.975015207564095
                                                                          Encrypted:false
                                                                          SSDEEP:384:mKT7wkXtiJRLmal+FI+MprHBjKgfjHkO2kvnpfIvfTYb72f8pevb:xxOJ1BkgfbkYPpAva7M8sT
                                                                          MD5:5285E941C30D582AD49228CF7D476464
                                                                          SHA1:C428E253EFF240C101655D128B3684828354006A
                                                                          SHA-256:C010FA2AAB01EC7DB6830B23A8E542F138BD2D16C6F2C532CEC29DF7C3B31DF4
                                                                          SHA-512:BB9F3932E72705BF793161BC28822A9B9A1251E521CD3C1A6018AC68EFC822CA3E2AE5402D46BBB0A27F6DBD2961C71A1A3992FFD59C5DDE1797619E63BB5929
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rf..6..W6..W6..W?.OW&..W.Y.V4..W.Y.V7..W.Y.V;..W.Y.V2..W.Y.V...W...W1..W6..W@..W.Y.V2..W.Y#W7..W.Y.V7..WRich6..W........................PE..L...5Z.e.................*...$.......,.......@....@.......................................@..................................L.......................................C..p...........................pC..@............@..8............................text....).......*.................. ..`.rdata.......@......................@..@.data...<....`.......D..............@....gfids..T....p.......F..............@..@.rsrc................H..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\gutype.dat

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\post_install.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):0.8112781244591328
                                                                          Encrypted:false
                                                                          SSDEEP:3:/ln:t
                                                                          MD5:F2DD0DEDB2C260419ECE4A9E03B2E828
                                                                          SHA1:0AAF76F425C6E0F43A36197DE768E67D9E035ABB
                                                                          SHA-256:26B25D457597A7B0463F9620F666DD10AA2C4373A505967C7C8D70922A2D6ECE
                                                                          SHA-512:FECD7B408089255B3467DC1F7231CC6388C9E1C65DCAA5E50F3B460235D18BC44033B08184018B65AC013FDAE68C0088381644A6302B9D89E468F57FF9A005DD
                                                                          Malicious:false
                                                                          Preview:....

                                                                          C:\Program Files (x86)\Windows Provisioning\inst.dat

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\post_install.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:cO1:L
                                                                          MD5:E32A9739783BA322193318CFF3C43EE6
                                                                          SHA1:40325E25312FA8F1A91F0509505CD73431C75E83
                                                                          SHA-256:C9C4A36E5D02ED79C0416ED2DE1EA53240BAAC752256EA03ECDCA6D039D8DCE9
                                                                          SHA-512:46E592E42AD6962DBFBD2BD17A9AD8D2AD0F13DB6721C6E29CF578CEB543DEFD9DE34C89986A9F7D8CA4535D92225BA7FEB08F1685FC84F034549A68B6AD50A3
                                                                          Malicious:false
                                                                          Preview:..Qc....

                                                                          C:\Program Files (x86)\Windows Provisioning\libprotobuf-lite.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):457728
                                                                          Entropy (8bit):6.611218815671407
                                                                          Encrypted:false
                                                                          SSDEEP:6144:qsTR4+g7wuK4tlpqm8TNwdL3KnL0W9/lNYXDTH3/EtaM+LM/w+pH:qsTR4+g7wur4hwdL3KnLb9HYXMH
                                                                          MD5:F909C898520DE19DA84790CF121DB3B6
                                                                          SHA1:C4988287C46A8F5AB9B24A95009ACDE0AF4800B9
                                                                          SHA-256:24CEEC931DC40D2973BE6F0030DF4FCE5EB337C7E69DF79739493D7235754167
                                                                          SHA-512:E20AEE4FF41A060662D453CD894CC8223DC5CAB69753E670FC0225A3BEF518345FC6D2C1FD54499498A2B0DB6B220A7AE49164F4F2CE2C4209DBA0A5AA8A5C3E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..-...-...-.....-.......-...(...-...)...-...,...-...,...-...,...-...(...-...-...-......-.../...-.Rich..-.........................PE..L.....xa...........!.........B......g........................................`.......:....@..........................M...k........... .......................0..0%......T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...............................@....tls................................@....gfids..D...........................@..@.rsrc........ ......................@..@.reloc..0%...0...&..................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\Packet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):98040
                                                                          Entropy (8bit):6.127745728436191
                                                                          Encrypted:false
                                                                          SSDEEP:1536:zg6Z54QkC2wpk2c+ZCDHKklh74RTfIEtaYQ0:M6Z54ARcIxk4LIEtaYj
                                                                          MD5:86316BE34481C1ED5B792169312673FD
                                                                          SHA1:6CCDE3A8C76879E49B34E4ABB3B8DFAF7A9D77B5
                                                                          SHA-256:49656C178B17198470AD6906E9EE0865F16F01C1DBBF11C613B55A07246A7918
                                                                          SHA-512:3A6E77C39942B89F3F149E9527AB8A9EB39F55AC18A9DB3A3922DFB294BEB0760D10CA12BE0E3A3854FF7DABBE2DF18C52E3696874623A2A9C5DC74B29A860BC
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Joe Sandbox View:
                                                                          • Filename: , Detection: malicious, Browse
                                                                          • Filename: Je7wwdubnQ.exe, Detection: malicious, Browse
                                                                          • Filename: , Detection: malicious, Browse
                                                                          • Filename: ywvz5i8kT9.exe, Detection: malicious, Browse
                                                                          • Filename: vcredist_2010.exe, Detection: malicious, Browse
                                                                          • Filename: vcredist_2010(1).exe, Detection: malicious, Browse
                                                                          • Filename: v.exe, Detection: malicious, Browse
                                                                          • Filename: okIQd4f03Z.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H...H...H...oe.Z...oe.j...oe.+......C...H...2...oe..L...oe..I...oe.I...oe..I...RichH...........PE..L...<.0Q...........!.........p......`Q..........................................................................................x....P..T............`.......`..d...................................X...@............................................text...:........................... ..`.rdata...+.......0..................@..@.data....,... ....... ..............@....rsrc...T....P.......0..............@..@.reloc..d....`... ...@..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoCrypto.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):143872
                                                                          Entropy (8bit):6.369995603809854
                                                                          Encrypted:false
                                                                          SSDEEP:3072:FjY8iLiuBSvvB5irGAB3YFOnzIfuKBNJrSmR:FjiLiuBSvp8au3YFOzuuKBNJrSmR
                                                                          MD5:359B243D01126EDFCE72FA17A6D17EF2
                                                                          SHA1:986209D7BE14AAD4C485A82BAF696F44060C744A
                                                                          SHA-256:B96218444F3AE1DBCCB75DC15FA71D558AB3D2BEA45B9BFE1A0AC5EA4BB21DAB
                                                                          SHA-512:7FE92B6CD5EAF210ADA8642FCF274B3C89B24E6D284D89191D8754D5043D950C97F78F7297553C3EE0E56C60D88223C1E2DCB67397259E9F0647F959DFA8A19B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|..........................................................................................................Rich....................PE..L...\.Z...........!.....*...................@...............................p............@..............................R...........@.......................P.......V...............................W..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........ ......................@....gfids..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoFoundation.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1224704
                                                                          Entropy (8bit):6.619655547971226
                                                                          Encrypted:false
                                                                          SSDEEP:12288:hwDrxQ3/DeOaPFLxbLpugOgopp2pPgJY/Nom9XeKcmmriYn9UTn/m+GhhsQk3OTT:hwq3/KOohh+M5gQO9i/WHW3OTriG5
                                                                          MD5:7CA710161F0986625BDD223D6E8E37E0
                                                                          SHA1:FF29F5F454D7AF49C472C12CD03ED039B2833D4D
                                                                          SHA-256:8C32BD7E6F0B286C651AF387836718944A6CB2F28BAB0767255E0161B387CCC1
                                                                          SHA-512:CF21B9EC7B13156977A2B06845230CC5222E1F9FBBC2AA7A667DF6ECC60A2A6AE7A08B259F683F53A7C99AAA1B7BC4C1CA1B066E7E6ECB0AF069EA78234A1277
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JM...,.[.,.[.,.[.T.[.,.[5r.Z.,.[5r.Z.,.[5r.Z.,.[5r.Z.,.[,L.Z.,.[.,.[.,.[.r.Z.,.[.r.Z.,.[.r.Z.,.[.rr[.,.[.,.[.,.[.r.Z.,.[Rich.,.[........PE..L.....Z...........!.................<....................................................@......................... ................`.......................p......P...............................p...@............................................text...'........................... ..`.rdata...(.......*..................@..@.data....I.......:..................@....gfids..@....@......................@..@.tls.........P......................@....rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoJSON.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):186368
                                                                          Entropy (8bit):6.437052892190694
                                                                          Encrypted:false
                                                                          SSDEEP:3072:xzKRrdhg6Ie/0EjnStS5g22oqlTPcF6cgWoBcyfYZeoazOrTfbyWwCp:xuRjpIWutyTglrpmoBc/Ze7OrTfbDZ
                                                                          MD5:A6F591815772522ABB444C19CBCB8875
                                                                          SHA1:52D9280B30A399FDCC98CEA5907B4D6BD4B70E4B
                                                                          SHA-256:BBEBACA74FA8F7E5354AE9E6AD14485A73D67AFE4CAC8889F49C6257BAA0A5FA
                                                                          SHA-512:5C9A43B86CF476DC9C5D2953EB9B3522A9A1492C664CE7D73CAD19D9DAE80EBFE002BD8AA5FC41D063D810F7E0FA9B5BA37D4D54388E87BFED8042CD5CF2B85F
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>...>...>...7...4.....=.....+.....5.....:.....=......<...>........3.....?.....f.?.....?...Rich>...................PE..L...$.Z...........!.........................................................0............@......................... +..(J..Hu...................................!..`...................................@............................................text.............................. ..`.rdata..............................@..@.data...p...........................@....tls................................@....gfids..@...........................@..@.rsrc...............................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoNet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):745472
                                                                          Entropy (8bit):6.543320477943913
                                                                          Encrypted:false
                                                                          SSDEEP:12288:R0Spsa6b8Z42X9sIriWvfEKZWJlsusW2PTb:R0Spsa6bi9HvfEKZWJ/R2PX
                                                                          MD5:34271180589EC380E0C973E1EE2B6C7F
                                                                          SHA1:3962D796B5F431D72B5AB8FE4F107CA6CCD8E43B
                                                                          SHA-256:DA4A1875A3F25E2E94FD50BAC9FDB8CF60261167EE0F10E019C7C8CEEEC0D004
                                                                          SHA-512:49AD69EB42005EA17F32F3DDED310595F4922CF138E0989764541A63925F764549A2292A4A0BED641D7154E61B4AC5F73252F59D03600E26C4D3AC509CB97C0B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y.....................................U......................U......U.......P.......U.......Rich............PE..L...4.Z...........!....."...V......j........@............................................@.........................P.......TT.......0.......................@.............................|....... ...@............@..D............................text....!.......".................. ..`.rdata...}...@...~...&..............@..@.data....H..........................@....gfids..8...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc......@......................@..B........................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoNetSSL.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):186368
                                                                          Entropy (8bit):6.373003244821189
                                                                          Encrypted:false
                                                                          SSDEEP:3072:7e9IlWW9P5jzQI+3O7WQAgaCjpAQT5uv:K+4UPVQI+3O7WQ3TT5uv
                                                                          MD5:41A34F51CAA20DCFDE91F433C12F5988
                                                                          SHA1:5403646C7FA87C0480FC81F8BF98444C2029DDFE
                                                                          SHA-256:FC9D294E070C50B3C2BD6BDE1A82E2A5DDF3F19B0374EFA29EEE2A4D6257D60A
                                                                          SHA-512:EEC4F96845E96BD9ED733C254862149706FEB37E5AD48439C50F78533512E410BA79DDCEDC925CADAC1D2E6B56BCDBEC531BDD23215610124D9CCC1E358D657F
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R..<..<..<......<...?..<...8...<...=...<...9...<.d.=...<...=...<..=..<.d.9..<.d.<..<.a....<.d.>..<.Rich.<.................PE..L.....Z...........!.....P...........1.......`............................... ............@............................. ... T...................................".. }..............................@}..@............`.. ............................text...VN.......P.................. ..`.rdata..pE...`...F...T..............@..@.data...............................@....gfids..@...........................@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoUtil.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):315392
                                                                          Entropy (8bit):6.468108074574678
                                                                          Encrypted:false
                                                                          SSDEEP:6144:hZiWbcnCy+zEQP5OQiuvRBC1lkVCH7rRj2SJrCoF4tKhjDMiFrt:XjboMA3ACB7N14tKhjDMwx
                                                                          MD5:821B8944BE225058CFA47863949E8330
                                                                          SHA1:70A40DBD359567E5AE0E40E209F696DAAAF1A2C8
                                                                          SHA-256:6E220A50FF97264B9DE695859F1FF6F46CA32A0118353014FAFCCCAAD1C873BB
                                                                          SHA-512:F155121B8DC5C1BAF04714A9AC7E4C77827462B23100AA55DB963898289D3B374B26BC57F7FD41532A0C59606FC0844AC16AAC948C394384FD7757DAB3CC23BD
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i..]-es.-es.-es.$...%es..;p..es..;v.;es..;w.&es..;r.)es..;r.+es...r.(es.-er..ds..;v.3es..;s.,es..;..,es..;q.,es.Rich-es.........................PE..L...).Z...........!.........H......u`.......................................0............@..........................2...........................................4..........................<...........@............................................text.............................. ..`.rdata..J...........................@..@.data...("...........v..............@....gfids..@...........................@..@.tls................................@....rsrc...............................@..@.reloc...4.......6..................@..B........................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\PocoXML.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):466432
                                                                          Entropy (8bit):6.591031773652152
                                                                          Encrypted:false
                                                                          SSDEEP:6144:WA58L7DdM7EcKnm+LG0wXuRytGKfvylZSeFe9G/HQXXb1nOFWmlwOsIMBZqlXyUm:D8nD27Am+LGvtGKfk0HYLh9USOZ
                                                                          MD5:14A58A611F68D7C6C6A43E869F4A7CA0
                                                                          SHA1:8795B5843F449839AC2EB35F2FB9F0BC4200A5E9
                                                                          SHA-256:8377C7C9D73EA0C6187ED8AE0D6E016A13CA7B76AEE9212D95E2F72E0E2408A9
                                                                          SHA-512:783DEBCFF351171A76142CF2AA49E18F3F15DFF68609F8E2C47C1A8702AC778FC9FDE0B5005AB50AE499D0EA57A5E24C65016F54A4D9C3F1EB4BDB66BA24643A
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t....G...G...G..G...G...F...G...F..G...F...G...F...Gk..F...G...F...G...Gv..Gk..F...Gk..F...Gk..F...Gn..G...Gk..F...GRich...G........................PE..L... .Z...........!.....T...................p...............................p............@.........................@!...................................... ..dH..@...............................`...@............p..4............................text....R.......T.................. ..`.rdata...i...p...j...X..............@..@.data...8...........................@....gfids..(...........................@..@.rsrc...............................@..@.reloc..dH... ...J..................@..B........................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\ProtocolFilters.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3825664
                                                                          Entropy (8bit):6.807627061589882
                                                                          Encrypted:false
                                                                          SSDEEP:49152:Wh0gMp73LnCRWdDnAdGJS7jgrHls8v9udNgdJ0TDMQtzASPrxqTAqBSXbKUJow:gMt3LnU47A48IrHK8v92NYQ66
                                                                          MD5:043AD966D71FA7E4821AAD0597F76575
                                                                          SHA1:19B59EF247DFE026074F53AF45B97E3D03106F9A
                                                                          SHA-256:3316A4E7CB195346D89369D9B2C6DD17559E09ADA31DB1B40989A4388D4872E3
                                                                          SHA-512:9678368E1FF25668C8DAC7175CFB993A63805EC14115D7141659D0D949113FC044A469B764C60BA091318BAE674068009FCAF1035758175E3675A3CAB6DA7472
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.rc~g.0~g.0~g.0~g.0fg.0...0xg.0...0\g.0...06g.0...0.g.0~g.0.g.0...0sg.0]..0\d.0]..0Ug.0...0.g.0...0.g.0...0.g.0Rich~g.0................PE..L......d...........!......+.........R.........+...............................:...........@...........................7.&.....7.......8.p.....................8.,.....+.8...........................P.6.@.............+..............................text....+.......+................. ..`.rdata..6.....+.......+.............@..@.data...`.....7.......7.............@....rsrc...p.....8......h8.............@..@.reloc........8......l8.............@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\libcrypto.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2085888
                                                                          Entropy (8bit):6.275502958098816
                                                                          Encrypted:false
                                                                          SSDEEP:49152:nMIJjR0L3RYAzqxCQhScKFVvHeb0Q1CPwv3uQ2VXoyk:MIJyLySc0leV1CPwv3uQ2
                                                                          MD5:14F37CF1955FC31C6AB544B596CC07CA
                                                                          SHA1:EFA3B6A5C92CFCE32A1E4DBF2656F9BEBA4DD746
                                                                          SHA-256:82B38741E7F28D2C47D23B0D24BD414D58A488CACD50AD3C0F359E33FB4A369D
                                                                          SHA-512:F67833DFF8DC50D3959161259B1D0D96D9BD420EF9CBA37F50E1315E6A6E84D9BD2E0858ACDB1BE9C084B80E72FE694C6F164C173CF90A4C3EEB2874512DEC1B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.Z ..4s..4s..4s..s..4s,.5r..4s,.7r..4s,.1r..4s,.0r..4s5.5r..4s..5s..4s..4s..4s..0rY.4s..4r..4s...s..4s..6r..4sRich..4s................PE..L......Z...........!.....N...................`...............................P ...........@.........................`n...-...5..@....p..............................`U..8............................U..@............0...............................text....M.......N.................. ..`.rdata...;...`...<...R..............@..@.data............X..................@....idata.......0......................@..@.gfids..%....P......................@..@.00cfg.......`......................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\libeay32.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1023488
                                                                          Entropy (8bit):6.829669925678923
                                                                          Encrypted:false
                                                                          SSDEEP:12288:kLOOiZOSffVbf1xO9QSq8dsTwd9xLAT6O6HBlp8oWt9V+NXaZpnNnU3dFXaizR9F:k+EZd9xLAVgBlCuzR9gopeKll0GV
                                                                          MD5:FD8BD6C382FF28D9E119BB0B16DEBF0E
                                                                          SHA1:C06DC43A50ED2101DFB18FC17DCEBE6F3122C6AB
                                                                          SHA-256:C09226191A49733293D12AF73300B3965438A15A5613E916A9138402812A76A7
                                                                          SHA-512:6BB444A5CA7D38F1209E1B51EAF1BBAF373FD840C962E31EB37AAB15DF3E2C0FAC20E0C46D205EE135FA03211B287BAEB85A25CA2A3F2DF7B200823D115257D4
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N......Z...Z...Z..YZ...Z..ZZ...Z..KZ...Z..\Z...Z...Z...Z..LZ...Z...Z...Z..]Z...Z..[Z...Z..^Z...ZRich...Z........PE..L...3k.T...........!......................... .......................................4...................................m...........0.......................@..........................................@............ ..x............................text............................... ..`.rdata....... ......................@..@.data...$...........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\libprotobuf-lite.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):457728
                                                                          Entropy (8bit):6.611218815671407
                                                                          Encrypted:false
                                                                          SSDEEP:6144:qsTR4+g7wuK4tlpqm8TNwdL3KnL0W9/lNYXDTH3/EtaM+LM/w+pH:qsTR4+g7wur4hwdL3KnLb9HYXMH
                                                                          MD5:F909C898520DE19DA84790CF121DB3B6
                                                                          SHA1:C4988287C46A8F5AB9B24A95009ACDE0AF4800B9
                                                                          SHA-256:24CEEC931DC40D2973BE6F0030DF4FCE5EB337C7E69DF79739493D7235754167
                                                                          SHA-512:E20AEE4FF41A060662D453CD894CC8223DC5CAB69753E670FC0225A3BEF518345FC6D2C1FD54499498A2B0DB6B220A7AE49164F4F2CE2C4209DBA0A5AA8A5C3E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..-...-...-.....-.......-...(...-...)...-...,...-...,...-...,...-...(...-...-...-......-.../...-.Rich..-.........................PE..L.....xa...........!.........B......g........................................`.......:....@..........................M...k........... .......................0..0%......T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...............................@....tls................................@....gfids..D...........................@..@.rsrc........ ......................@..@.reloc..0%...0...&..................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\libssl.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):375296
                                                                          Entropy (8bit):5.695333832967505
                                                                          Encrypted:false
                                                                          SSDEEP:6144:4Po/RYitktWHoX7zUMnyPvKpZG4AFuvkzrzDNmGpamA8ND7P46yLqiDoVnjSOOvy:9RYwktWIX7zUMnyPSTG4AFuczrzDNmYD
                                                                          MD5:3860A72B4BFC4722CC3AB8C05F27FCCE
                                                                          SHA1:8A1B0A2E6072995F0CE9BD087AB6EA35B3D1B338
                                                                          SHA-256:D6CD873E147A3FE816AE10F5A7AFD6BD17539102DA6FCC768CE17D388453513F
                                                                          SHA-512:B80FF4B4151A3D5DD625630751D9ABE034709B312C41E8D6253A4DAA43DBA494B400B2DEC7EECDCB24E527FDD1001FB721821EE94A9BAA5B2ED4466DE288D5D4
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q1a.5P..5P..5P..<(..=P......7P...0..7P......6P......>P......>P......6P..5P...Q.......P......4P......4P......4P..Rich5P..........................PE..L......Z...........!.........................0............................................@.........................@...c=...y...................................&......8...............................@............p...............................text............................... ..`.rdata.......0......................@..@.data...\C... ...>..................@....idata...=...p...>...B..............@..@.gfids..%...........................@..@.00cfg..............................@..@.rsrc...............................@..@.reloc...,..........................@..B................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\npf.sys

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):36600
                                                                          Entropy (8bit):6.293365115285525
                                                                          Encrypted:false
                                                                          SSDEEP:768:VVRRdUlDRJuOfUhk8ZX2ZeRY4soGLeTZ8wwfKRw:VVRsZREOfUhNK96TZ8wwi6
                                                                          MD5:DE7FCC77F4A503AF4CA6A47D49B3713D
                                                                          SHA1:8206E2D8374F5E7BF626E47D56D2431EDC939652
                                                                          SHA-256:4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6
                                                                          SHA-512:FDACE7EE2593FFE5724DB32F4BE62BB13AA1EC89E1E01C713D8C1E9891A5A0975D127450024C3388A987A35E546568ECDBCC60C185DC8F8B08CCEF67A084B20D
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}i.}i.}i.}h..}i...}i...}i...}i...}i...}i...}i.Rich.}i.................PE..d.....0Q.........."......V..........................................................9q......................................................d...P....................p...............a...............................................`...............................text....M.......N.................. ..h.rdata.......`.......R..............@..H.data...4....p.......X..............@....pdata...............^..............@..HINIT.................`.............. ....rsrc................h..............@..B.reloc..<............n..............@..B........................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\certutil.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):190464
                                                                          Entropy (8bit):6.420117010029419
                                                                          Encrypted:false
                                                                          SSDEEP:3072:L9wyqr9aNtelu9p7GEpji1wvBtLBdQqaMBHJR5p5PqQre3EuM:Z8r9aNtuuf7NRjBdQqVBJR9Cl3EuM
                                                                          MD5:3337B8D5AAB06D9072E3D4A72E0F9D26
                                                                          SHA1:2AC8E9CB0F8E3BA05535EE300D49D1DBFCF8C35B
                                                                          SHA-256:5CB4335CB4360B0187AB868B7DADC7E4B45913B676786F2AC95D2C9044861646
                                                                          SHA-512:C5588770C7BF21F37912FB2616B9831718E74CCA0B7E63A0E95611C2F93E55B180189D700A4A3C50314FF07305EBD1294C5F84EFC38AC50D4F447D144D189F28
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C9..-j..-j..-j...j..-jp_.j..-j.9.j..-j.9.j..-j.9.j..-j...j..-j..,j..-j...j..-j...j..-jRich..-j........PE..L......Z.....................j.......4............@..........................@............@.................................L...................................."..................................@...@............................................text............................... ..`.rdata..............................@..@.data...`E..........................@....reloc.."+.......,..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\freebl3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):438784
                                                                          Entropy (8bit):6.663378126075105
                                                                          Encrypted:false
                                                                          SSDEEP:12288:u29xzXfvpHMCBkm/4ckvK18d7Xm+S9kMNOU2Eq+xqn6lIzn:u29xzXfvpHMCBkm/4ckvK18d7Xm+S9kT
                                                                          MD5:124AD66540633CB743122E2EA5D18C71
                                                                          SHA1:12635BB0D5BF3B5B3F0ED24F22055B1447778A3F
                                                                          SHA-256:1F0011826BD72DF4232F33A02A8697D4444570C06362B1BA8535E4A11279CFB9
                                                                          SHA-512:EE184653A4A30401DB5CA5753F93E1FF7914D0838FBFDC7DA880F1BE423B1C953F2A21FCA3224D83B2EE39589EC18A418994D001C7262DF0E11F13FE21138A70
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.v.....................s......s......s.t..........z[.........d...?Z.]...z[.....z[.....z[.....z[.....Rich....................PE..L...I..Z...........!.........................0...............................@............@......................... }..O....r..d.......0........................%...................................o..@............0...............................text............................... ..`.rdata..oM...0...N..................@..@.data....t...........j..............@....rsrc...0...........................@..@.reloc..d-..........................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\libnspr4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):310272
                                                                          Entropy (8bit):6.621497206632747
                                                                          Encrypted:false
                                                                          SSDEEP:6144:TT9KgQ9caedm0soS4mIEoDoh4zbkrTgmXzmphL9rXD5sCiO:TT9KgQPedm0soS4mIEocdrT9XyphL1XZ
                                                                          MD5:C954B7E9D500BADF4DD0A512A273F583
                                                                          SHA1:92738209568304FAAE048AF9FB2DD69257CAA1DE
                                                                          SHA-256:F3C8E39342F16CFCB2EC9ADB39D1CFF274165D1166FDF6917F8693E5C79B2257
                                                                          SHA-512:1072AC3AEE0227027C883D1BAD37217B858EF970DBA63D5F92FE9753D7AC26C18FCEA83E7CECACEA6B69A2DFE4C513E5252B96DAA05A88A133D55C10494BB515
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8j..|..C|..C|..C.ZCx..C..RCQ..C..PC`..C..SC...C|..C...C.|$Cw..C_.SC4..C..WC}..C..TC}..C..QC}..CRich|..C........................PE..L......Z...........!.........V...............................................0............@..........................=..P,...-..x...............................,1..........................x'......0'..@...............4............................text............................... ..`.rdata..............................@..@.data....V...p.......`..............@....tls.................z..............@....rsrc................|..............@..@.reloc..6;.......<..................@..B................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\libplc4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):61952
                                                                          Entropy (8bit):5.9623369659924
                                                                          Encrypted:false
                                                                          SSDEEP:1536:dW9TO0UhPa0Xqtr+RcCGK/sWjcdEPSCc:dW9L0zGKAEPSCc
                                                                          MD5:27B213629FC5B93C819ED03F17D027B5
                                                                          SHA1:D411238078DE7D2338395D74346272188DCD7569
                                                                          SHA-256:D2ED23112E0BC007319F44C0379513381F1FEEB6E82051588156A1AE18640902
                                                                          SHA-512:B3FB9A0D8744ED4C7D9A765FB0427461A805133ACC8D7857CDC358737EB06D2417E0F2FED9675E807597BC715E35CC5197A856BE06537BA54D8C14DA44F03AA7
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ....d.".......2......./.......w...F'..#... ...v....&......F'..!...F'..!...F'..!...Rich ...........................PE..L......Z...........!.....|...........1.......................................@............@.........................`...........<............................ ..........................................@...............(............................text....{.......|.................. ..`.rdata..<L.......N..................@..@.data...4,..........................@....rsrc...............................@..@.reloc..F.... ......................@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\libplds4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):57856
                                                                          Entropy (8bit):5.864142896774992
                                                                          Encrypted:false
                                                                          SSDEEP:1536:QK2zRk5CDHri6Q4NgAhcd0sWjcdExNgTzfpK+:6BHW6Q4NW7ExNgTzfpN
                                                                          MD5:556C4D654D05A291D144C05A1FF1CD3A
                                                                          SHA1:2FB0718A88D93C9547A10CE8923C45EC1DD0550B
                                                                          SHA-256:7732A4F4B808DEA0E7FC98740D8FB4FA8EBFA7E2D9EFA693B1CE72981E075DDE
                                                                          SHA-512:E0BCC856111E7B60CA802A6226EFB45DBA6195E67D6A1927609C8CCFFF899EDDD4F694D7EFB1C18D175E9575D6080070D8EA750C69508FB7AC451EC6CA7601A0
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.A;c./hc./hc./h...ha./h...hq./h...hi./h...h4./h.+.h`./hc..h3./h@*.h`./h.+.hb./h.+.hb./h.+.hb./hRichc./h........PE..L......Z...........!.....p..........B%.......................................0............@.........................p...,...D...<.......................................................................@............................................text....o.......p.................. ..`.rdata...I.......J...t..............@..@.data...4,..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\nss3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):915456
                                                                          Entropy (8bit):6.409619510793422
                                                                          Encrypted:false
                                                                          SSDEEP:24576:GDgt3Iu9ER+2r2BCBt/x0Pq4CxFGTInIu4MSg:mgB52HWMSg
                                                                          MD5:86CBDC08307EC5A60D5DAE63F1BF7F1D
                                                                          SHA1:FE71CB33BB49CB7FEF943367D9ED9B7E7234D6B6
                                                                          SHA-256:C50FE83362D84714915A3D429E675F35562F02A0712697B761E57149760898CC
                                                                          SHA-512:6200F5766F95AA66FB6C54E2C00841839CFBF911FC716281D09CE283B25645919A83550FD90DA4C4631F424C6F5BDEEA21C7420524E4738B5A95C95A79BDF7A9
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^I...(...(...(..._ ..(....V.;(....T..(....W.`(..|.R..(...(..r)..9.W.(..|.S..(..|.P..(..|.U..(..Rich.(..........PE..L......Z...........!.....r...................................................p............@.........................`....i......x................................a..................................p...@...............D............................text....p.......r.................. ..`.rdata..G............v..............@..@.data...`E...........h..............@....rsrc...............................@..@.reloc..8p.......r..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\nssckbi.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):397824
                                                                          Entropy (8bit):6.85298728759357
                                                                          Encrypted:false
                                                                          SSDEEP:6144:SVfDnPf5QwOk8/H1rBHY4FFS5XVpLMTVaHAVIIYI4LBzCsu:SVfDnPhQPrBHY4HSLpqVIIYI4LBzBu
                                                                          MD5:659F25DD0FC41F0D756386AB45FA426B
                                                                          SHA1:C55246262CC066742C970E360D3661CA24BC62AD
                                                                          SHA-256:7957CCC254495C565F26391E0A81A527CED9BC1EB3DD7F1E1D3F99C3DBD18508
                                                                          SHA-512:9EC45B2DBDDE3B655B091C254FD9282C781C9D296417BEAF56EF3A3776F99389D3C9A5F5E11FB1E1E90B4463CEF230A0F6008CF3CC413D5664E8246C096CD4E2
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......X...X...X..,X...X.hZX...X.hXX...X.h[XV..Xg@^X...X...Xe..X"A[X...Xg@_X...Xg@\X...Xg@YX...XRich...X........PE..L......Z...........!.....@...................P...............................`............@.............................P....x..d............................ ...6...................................u..@............P..`............................text....?.......@.................. ..`.rdata..`1...P...2...D..............@..@.data...Tx.......Z...v..............@....rsrc...............................@..@.reloc...=... ...>..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\nssdbm3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):175104
                                                                          Entropy (8bit):6.380804511310592
                                                                          Encrypted:false
                                                                          SSDEEP:3072:uy+ViWjqFwR/IW3gpqCFEak9xXXlj967YuUWXEcKBMydTuoQ3UpqTItre14FodB:us/Q8pqp9xXXlpuqBoc0TQk
                                                                          MD5:32DD3C576D236577E9F23EE4D016C467
                                                                          SHA1:9A8B2DDAED3DB4E94FF607AD235BBA6698D8F2C7
                                                                          SHA-256:8D367AC7A3007789CB2006AA4CFB038BEBFF5D11F4C6F130DCB60B1496AC0BEE
                                                                          SHA-512:CB07D3C86C71BB500B612D6A09212B4FE255A27EAEA8E60ACC83CA318B3F9F5BAF608315598AD23B499CE4A900265DF071E7892A10C00FCFC3EC078E871D5B67
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.U.B.U.B.U.B...W.B..P..].B.6..I.B.6..D.B.6../.B.3...R.B.U.C...B.v...C.B.3...T.B.3...T.B.3...T.B.RichU.B.................PE..L...W..Z...........!................"n....... ............................................@.........................`}......,l..d.......8.......................H...................................hg..@............ ...............................text...6........................... ..`.rdata..g^... ...`..................@..@.data...$/...........r..............@....rsrc...8...........................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\nssutil3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):217088
                                                                          Entropy (8bit):6.551633114866076
                                                                          Encrypted:false
                                                                          SSDEEP:3072:zW2hMZf9HEyhtRU/U5YZndpTO7QO3dxINXgOwLhw84WxoRxz:qgQlETU5MMQYIHGi
                                                                          MD5:30E199190DCD45BA0D122FCD30C274BE
                                                                          SHA1:3DCFB388137475AA10C89433EE6BD46F511CDDE4
                                                                          SHA-256:50B0ADF97C13E3589B5A765564B05FA580E569DA69E3A9BD55E3B3B61EE46A41
                                                                          SHA-512:AF65B9B7128E0DA663D8057B39F11C004314A769C8FC4D75EA1E63544D25D1E08E1E926AB0366C290B4CC8DFC23A906C4EF7ADC2532B91ECF7B228BCAF74BB8F
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u1x.._+.._+.._+5c.+.._+W..+.._+8.+.._+8.+.._+8.+_._+...+.._+..^+Y._+...+.._+...+.._+...+.._+...+.._+Rich.._+................PE..L...;..Z...........!.........z............................................................@......................... ...8.......d....p..............................................................P...@............................................text...]........................... ..`.rdata..X...........................@..@.data....:...0......................@....rsrc........p.......$..............@..@.reloc..:&.......(...(..............@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\smime3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):149504
                                                                          Entropy (8bit):6.209364843209916
                                                                          Encrypted:false
                                                                          SSDEEP:3072:C56aJqLAr7FkF0MrztzsWb1nnbooLGl4AK3vZUsgBHY3P3f4PlQkDHbzisttdzhh:q6aZkFHtzsWb1nnboWG8vL3P3gPGy9PX
                                                                          MD5:022B6FB51D33F9A076329D7A91B40620
                                                                          SHA1:11E964F14883D961ED462ED99990AE40D127EC87
                                                                          SHA-256:666421A0F6F87DFD72F8D1A68A95417709D7ADB47A3F91907EC3686108A6F38B
                                                                          SHA-512:B947DCDD32D0A5AFB0E4F8F9505C4ACDFE16EA7DD6CAE2B9C511F24ED9B88CC1513E39C21FFD454BC42D9CF26B78BFD332D98859C636C242B223D6C6BC1C7D44
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*`>YK.mYK.mYK.m.<.m[K.m...mKK.m...mUK.m...m.K.m?..mRK.mYK.mCJ.mz..m}K.m?..mXK.m?..mXK.m?..mXK.mRichYK.m........................PE..L......Z...........!.....~..........f3....................................................@..........................................`.......................p..........................................@...............8............................text....}.......~.................. ..`.rdata..............................@..@.data...4....0......................@....rsrc........`.......(..............@..@.reloc..>....p.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\softokn3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):219648
                                                                          Entropy (8bit):6.348174231200735
                                                                          Encrypted:false
                                                                          SSDEEP:6144:bBDa8PtdxEWGT1isGfjyxDui2B1dFkYus:bBpPCWG8mxii2zdd
                                                                          MD5:485AA9DC1D332EF1A9DC31F19A526F82
                                                                          SHA1:FF19B3E0A4B379EA4B39075946DA2148859D8ADE
                                                                          SHA-256:BC85490155DAA4C31A2D39447B477A4E442AF47EC83939BD37353857B44C4899
                                                                          SHA-512:62699CB8F889F7D05EC36A6E57685C2A66110096BA97A949911441C3F7AC3BD100BF306C840AE96C883CD03970CEA012DBACA884246F8E6778F3664E9CABC2AF
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..1..1..1....R.3..',.0...A$.+...A&.:...A%.P..Wi .:..1.....h%."..Wi!.0..Wi".0..Wi'.0..Rich1..........................PE..L...T..Z...........!.................-....................................................@.........................@*......T........`..8....................p...!......................................@............................................text.............................. ..`.rdata.............................@..@.data...\/...0......................@....rsrc...8....`.......*..............@..@.reloc...+...p...,..................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\nss\sqlite3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):617472
                                                                          Entropy (8bit):6.659091537520531
                                                                          Encrypted:false
                                                                          SSDEEP:12288:yyWvcxz3CO9uerS8bf5+yNejUogPr4faWAIhZxsvcI0z+UYOxVJEQU:yyWvQ3CO9uevQvfgPr4fa5cZU/0CO8
                                                                          MD5:6AC28CF170907BA16B68BD39EE86BC29
                                                                          SHA1:8F528C24F39E7EF708EEDFBFD657B026053711F8
                                                                          SHA-256:90645044AFE1C79ECC8877CF9C79414916E1EBD94EBC8714CB68AE34BD89A6A3
                                                                          SHA-512:C59EEAC9E5AF7CED0510B9C13131EE4C848283A484104F1681F6264701FDEF2512C2913AFCA68600FF0DC6E9E114BF8DDE50217A6AE0E360BFFF2FC7F81EE4BA
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................`.X....m......m.,....m./.....!/..... +..... -....Rich....................PE..L...M..Z...........!.........v.......}.......0............................................@.................................t...(............................p..l@......................................@............0...............................text............................... ..`.rdata.......0......................@..@.data....F... ...$..................@....reloc...G...p...H...$..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\pthreadVC.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):53299
                                                                          Entropy (8bit):3.9943496203596918
                                                                          Encrypted:false
                                                                          SSDEEP:384:hSvfC8Vv0Vy7ojuq7GQcdWTc4zU+GFronD/yD5rBEe0kiH32Jp9AhOW:wt+TGQcdWYdMG59EeJiH3YzW
                                                                          MD5:F04A90F917BA10AE2DCBE859870F4DEA
                                                                          SHA1:6668EBE373CE58C33017697C477557653427E626
                                                                          SHA-256:99C61ABF41C3AEC38CAB3ED6270ADBCA9A247BBF5F9AA9D29ECB0659A5527F48
                                                                          SHA-512:AEC29301B9CE311B27F1590B0E0C4121ACDC183A30B570E087D77B7035684F02A6DFBDEE950C37F3023B32E2EA5A075A5FBE6D18A2804DA9490D4959733BB516
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EGi..&...&...&..c9...&...&..7&...9...&...9...&..Rich.&..........................PE..L.....g?...........!.....p...P.......d..............................................................................0...^.......P...............................T...................................................................................text...3f.......p.................. ..`.rdata........... ..................@..@.data...............................@....idata..4...........................@....reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\ssleay32.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):217600
                                                                          Entropy (8bit):6.502467400971621
                                                                          Encrypted:false
                                                                          SSDEEP:6144:T+MCLaMRv89FpK5sZ7kwvrH/rhqlq0/HqfkT7UALGicQpgo9u9/JTibcnd//N:TfCrvSpK5sZ7kwvrH/1qlq0/HqfkTDLO
                                                                          MD5:85CEB6B1F6EA475E80A068AC1EB2E1D7
                                                                          SHA1:9C0FFED6929AC584C9B6CDCADA7BE4C74FAE05E3
                                                                          SHA-256:43A4930DC3ED17989AF435C55952D6FFD39035840BBAADEB802F2741EEA92CB1
                                                                          SHA-512:E3DAB7ED298C9785CE72941ED93B1D7F1B89D2189878A40839B7088AB267A84CBC31CCA7EAACACB3F9ADE0C59C2899BC0E30B8E37D094DB1FECC79546E30D86E
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;K..hK..hK..hB.|hO..hB.mhI..hB.zhL..hK..h...hB.jhp..hB.{hJ..hB.}hJ..hB.xhJ..hRichK..h........PE..L...@k.T...........!.....z...........................................................O..................................A.......P....P.......................`......................................8...@...............D............................text....x.......z.................. ..`.rdata..............~..............@..@.data....(... ...&..................@....rsrc........P.......*..............@..@.reloc.......`... ...2..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\wpcap.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):282360
                                                                          Entropy (8bit):6.604477037348888
                                                                          Encrypted:false
                                                                          SSDEEP:6144:E4yIm5rC9WNWwKcNBSCiLvK8+jKgZBwIbg2:jyIm59WwpqCuEKIwv2
                                                                          MD5:4633B298D57014627831CCAC89A2C50B
                                                                          SHA1:E5F449766722C5C25FA02B065D22A854B6A32A5B
                                                                          SHA-256:B967E4DCE952F9232592E4C1753516081438702A53424005642700522055DBC9
                                                                          SHA-512:29590FA5F72E6A36F2B72FC2A2CCA35EE41554E13C9995198E740608975621142395D4B2E057DB4314EDF95520FD32AAE8DB066444D8D8DB0FD06C391111C6D3
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%I+&a(Eua(Eua(Eu..;uc(EuF.8uv(EuF.+uC(EuF.(u.(EuF.>uc(Eua(Du.(Eu.'.ud(EuF.4ut(EuF.?u`(EuF.9u`(EuF.=u`(EuRicha(Eu........................PE..L.....0Q...........!................z...............................................8_.............................. ...........P....................0..........8&..p...................................@...............,............................text....z.......................... ..`.rdata..=7.......@..................@..@.data...!........ ..................@....rsrc...............................@..@.reloc..p........0..................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\x64\Packet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):107768
                                                                          Entropy (8bit):6.207807273671645
                                                                          Encrypted:false
                                                                          SSDEEP:3072:xpMSqNrAF/ln2800b4U7kByZo6Fsl1LOb:xpMSq0/AN0EG4yZ/
                                                                          MD5:899A5BF1669610CDB78D322AC8D9358B
                                                                          SHA1:80A2E420B99FFE294A523C6C6D87ED09DFC8D82B
                                                                          SHA-256:AB3CCE674F5216895FD26A073771F82B05D4C8B214A89F0F288A59774A06B14B
                                                                          SHA-512:41F2459793AC04E433D8471780E770417AFAC499DC3C5413877D4A4499656C9669C069D24E638D0AAF43AF178A763ACB656FFD34D710EB5E3C94682DB1559056
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.......5.......5.....n..............5.......5.......5.......5......Rich....................PE..d.....0Q.........." .........t...... l..............................................r................................................\.......P..x.......T.......\....................$............................................... ...............................text...>........................... ..`.rdata...@... ...B..................@..@.data...(7...p.......T..............@....pdata..\............j..............@..@.rsrc...T............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\libs\x64\wpcap.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):370424
                                                                          Entropy (8bit):6.481542014421452
                                                                          Encrypted:false
                                                                          SSDEEP:6144:pH+VjFreKE0V/NGvaX86tWBXZkbTe/CtjgZBwIV8g/wNmJ4eXk:pH+VBeT0V/NBX8k2YTe/QIwIs8k
                                                                          MD5:A672F1CF00FA5AC3F4F59577F77D8C86
                                                                          SHA1:B68E64401D91C75CAFA810086A35CD0838C61A4B
                                                                          SHA-256:35AAB6CAAAF1720A4D888AE0DE9E2A8E19604F3EA0E4DD882C3EEAE4F39AF117
                                                                          SHA-512:A566E7571437BE765279C915DD6E13F72203EFF0DC3838A154FC137ED828E05644D650FD8432D1FB4C1E1D84EE00EF9BDE90225C68C3CA8A5DA349065E7EBFD6
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5...[...[...[.e.%...[...&...[...5...[...6..[... ...[...Z.d.[.U ...[...*...[...!...[...'...[...#...[.Rich..[.........................PE..d.....0Q.........." ................p........................................P......................................................P4.......'..P....0...........'...........@..X.......................................................X............................text............................... ..`.rdata..mm.......n..................@..@.data........@...&...,..............@....pdata...'.......(...R..............@..@.rsrc........0.......z..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_proc_mon.txt

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):11290
                                                                          Entropy (8bit):5.389888266607761
                                                                          Encrypted:false
                                                                          SSDEEP:192:6k2YmSKI4tFpYVmRu0P+PmPQPEPKPPPiP8PnPkPYPIPEPXPxPJP2P6bPWPJ:n2YmSKr8mRnWeo8CX6U/8wgc/phuCbOB
                                                                          MD5:8CADB22C4811FDD7E40B51A3C3580EFC
                                                                          SHA1:A2BCBB033F6CAE8E6B28489DAA7B4216196964D0
                                                                          SHA-256:EB5AE21359178722F0D4271D378659BCE0123B6F912253C4328B3C85EF959751
                                                                          SHA-512:A91979A96F1E36F3E2DBDBB15C395CAED0AF4A3725A6BCFF086CA7956378C43B476FABEFADBA026C3137E5804DCC30E6925B0130E76D91E64F42C17FB9206281
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:16 svcAppLookup.exe [2924] <DEBUG> [ws_process_monitor_service]: ServiceMain: service started..2024-03-20 11:50:16 svcAppLookup.exe [2924] <DEBUG> [processs_monitor]: Windows 8 or newer..2024-03-20 11:50:16 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: CStealthManager::checkAndUpdateNewBinary enter {..2024-03-20 11:50:16 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: flag delete : 0..2024-03-20 11:50:16 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: copy hookDll32 : 1..2024-03-20 11:50:17 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: copy hookDll64 : 1..2024-03-20 11:50:17 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: CStealthManager::checkAndUpdateNewBinary exit }..2024-03-20 11:50:17 svcAppLookup.exe [2924] <DEBUG> [ws_process_monitor_service]: ServiceWorkerThread enter {..2024-03-20 11:50:17 svcAppLookup.exe [2924] <DEBUG> [ws_process_monitor_service]: Loading Name Map..2024-03-20 11:50:17 svcAppLookup.exe [2924] <DEBUG> [stealth_manager]: CSt

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debug_update_service.txt

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):510
                                                                          Entropy (8bit):5.07661842671772
                                                                          Encrypted:false
                                                                          SSDEEP:12:qOKFeQbt/GuOKFeQahOOKFeQXOKFeQavOOKFeQr6mK7:qfXZfxfZf+OfN6mK7
                                                                          MD5:0D9F1FFFBDC751C3511433EAD7C05576
                                                                          SHA1:79868804E1596BAF59D73E126BD31F013B332512
                                                                          SHA-256:5F2E9677E84362C2A520934268AA59A512A12843359C64865B112347A7226C9C
                                                                          SHA-512:53A625F48E9282E1220B9668D1BAF81C3784A5649671B161A589D6FDB440E129618D34E2D6B1C39B2C44D6413E107AD0D1C24D1A693C92AAC70C6BFD908DD9A2
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:13 svcAppUpdate.exe [4332] <DEBUG> [ws_update_service]: ServiceMain: service started..2024-03-20 11:50:13 svcAppUpdate.exe [4332] <DEBUG> [ws_update_service]: ServiceWorkerThread enter {..2024-03-20 11:50:20 svcAppUpdate.exe [4332] <DEBUG> [ws_update_service]: Exit update service..2024-03-20 11:50:20 svcAppUpdate.exe [4332] <DEBUG> [ws_update_service]: ServiceWorkerThread exit }..2024-03-20 11:50:20 svcAppUpdate.exe [4332] <DEBUG> [ws_update_service]: ServiceCtrlHandler : CtrlCode = 0x1..

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\debuglog.txt

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):31882
                                                                          Entropy (8bit):5.2964555461120835
                                                                          Encrypted:false
                                                                          SSDEEP:384:DXgx5h9jenjJ7/k7/V7/+7/n7/Q7/x7/K7/67/h7/s7/jg27/GW3Wz7/gc7/47/8:DQx5zM90l
                                                                          MD5:38AC2BED7349F1EE33279051265C2554
                                                                          SHA1:F8BB4F77C159147EAC3D0253DF215B0A3406E472
                                                                          SHA-256:C484138B4FCDA4F0DECDD5977B39050AC071A38AA39410746C0ABFEF6D65E09D
                                                                          SHA-512:3DEACF5280956A6E0237B8EE9B7AA9AF9ACE1E2994C37FC9FB78DEE54952F02DBE969519FB4ADA18EA96B219174972E8CE544EBF7CFC247EAD5BC9BC8A655B96
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main]: Last error: 0..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main]: Show dialog: 0..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main]: License path: ..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main]: Status path: ..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main_form]: CFxWSMainForm::CFxWSMainForm enter {..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [fx_ws_main_form]: Ole init result: 0..2024-03-20 11:50:17 rundll32.exe [6056] <DEBUG> [app_engine]: CAppEngine::initializeCommonComponents enter {..2024-03-20 11:50:18 rundll32.exe [6056] <DEBUG> [app_engine]: Start WPcap service..2024-03-20 11:50:18 rundll32.exe [6056] <DEBUG> [stealth_manager]: Launching NPF service..2024-03-20 11:50:18 rundll32.exe [6056] <ERROR> [stealth_manager]: Failed to start NPF service, error code: 31..2024-03-20 11:50:18 rundll32.exe [6056] <DEBUG> [configuration_manager]: CConfigurationManagerImp::upda

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\nflog.log

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1498
                                                                          Entropy (8bit):5.220245256426672
                                                                          Encrypted:false
                                                                          SSDEEP:24:nAzcOxzQvzQrxzQvzQrxzQvzQrxCy4Tv4EvCuy:nAQkUvUdUvUdUvUdCyk1Cuy
                                                                          MD5:B3DA3AA5B7F0553B7D6C1ADE6060FD38
                                                                          SHA1:F83B68BC206833E25CECB6AD384859794A137557
                                                                          SHA-256:24B6F804B721A2646FDC02E92002CCEA1A6D1C2CBAFDA9BB281B39C1C405B7C0
                                                                          SHA-512:8DD7D3289E5CF9E5A9C37D1C2E6A3EC520C6481B08EDAE52E3F4AF56FBB7E87DDB6C8B8B0BC7DD06636635268FE0C46F36A4BB42F779A654173AC4C93454D0A0
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [ipc_manager_wm]: IPCWebmailServiceManager::IPCWebmailServiceManager enter {..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_store_temp]: Handle : 000002F0, Error : 0..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [ipc_manager_wm]: IPCWebmailServiceManager::IPCWebmailServiceManager exit }..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_handler]: WebmailHandler::setWebmailCaptureManager enter {..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_handler]: WebmailHandler::setWebmailCaptureManager exit }..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_handler]: WebmailHandler::setWebmailCaptureManager enter {..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_handler]: WebmailHandler::setWebmailCaptureManager exit }..2024-03-20 11:50:17 nt_system_service.exe [7060] <DEBUG> [webmail_handler]: WebmailHandler::setWebmailCaptureManager ent

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\postinstall.txt

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\post_install.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):9381
                                                                          Entropy (8bit):5.25413814884236
                                                                          Encrypted:false
                                                                          SSDEEP:192:H6uVBlbNsvXr86+w8PBhslhclh+l2ui+QkeQUeQmezoPQmIXELizgWLizgEgp/gk:nooQ7u12G+q
                                                                          MD5:99253D2FBBB879B7FE3945CBCA0A482F
                                                                          SHA1:ABC804680E2B273433EA2D9921E1A61DC75E7B44
                                                                          SHA-256:61AEB4AE8816D1F50C9877F6C5369CE9650551768BD6441BE23AAEA573618CD8
                                                                          SHA-512:CFE31B62924B99B095F6BDA0CAAFE6D96C7D62480122DC8E4D604F1908694D50139EAD1010E2699F82EFD947BDA5FAA657DBBE1728C32FBB448447886A0829AB
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:09 post_install.exe [3304] <DEBUG> [post_install]: 0) token exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: 1) token inst=C:\Program Files (x86)\Windows Provisioning..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: 2) token s=1..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: 3) token k=..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: 4) token p=..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: 5) token r=0..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: Ole init result: 0..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: Install path: C:\Program Files (x86)\Windows Provisioning..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [post_install]: Reinstall : 0..2024-03-20 11:50:12 post_install.exe [3304] <DEBUG> [stealth_manager]: CStealthManager::deleteH

                                                                          C:\Program Files (x86)\Windows Provisioning\logs\2024-03\startuplog.log

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe
                                                                          File Type:ASCII text, with very long lines (317), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2734
                                                                          Entropy (8bit):5.448033214268957
                                                                          Encrypted:false
                                                                          SSDEEP:48:dgpuRgPXWgPOgPxZg5Azg5Vg5HWg5aZTg5aZRg5aqg5Og5aGg5aXg5kg55g5aVg+:e8CPBx5a5A85m5HB5aZc5aZC5a15J5aB
                                                                          MD5:762B3E2EFC8E06238DCB2E4B370E1BC3
                                                                          SHA1:77EC9406CFFB8D5FD6D1E76BD450D26CCAFC5910
                                                                          SHA-256:E72D7EFD1C26E752528119C84E2297662A3C1BF863904A57DBD3C36AAA263C70
                                                                          SHA-512:F684E9723FD9E88F9130343CBC08178241A31344CC6CBA37E265E7D49C1775208DECE13447A6C3A699FB0016370D27FA0781C41E96000E78840B51906F159CB1
                                                                          Malicious:false
                                                                          Preview:2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [processs_monitor]: Windows 8 or newer..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [StartupAgency]: ServiceMain: service started..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [StartupAgency]: argc = 4..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [StartupAgency]: License path = , Status path = ..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: flag delete : 0..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: copy hookDll32 : 1..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: copy hookDll64 : 1..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: CStealthManager::checkAndUpdateWinPcapLibrary enter {..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: CStealthManager::checkAndUpdateWinPcapLibrary exit }..2024-03-20 11:50:16 svcAppInit.exe [6556] <DEBUG> [stealth_manager]: CStealthManager::checkAndUpdatePocoLibrary enter {..2024

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):190464
                                                                          Entropy (8bit):6.420117010029419
                                                                          Encrypted:false
                                                                          SSDEEP:3072:L9wyqr9aNtelu9p7GEpji1wvBtLBdQqaMBHJR5p5PqQre3EuM:Z8r9aNtuuf7NRjBdQqVBJR9Cl3EuM
                                                                          MD5:3337B8D5AAB06D9072E3D4A72E0F9D26
                                                                          SHA1:2AC8E9CB0F8E3BA05535EE300D49D1DBFCF8C35B
                                                                          SHA-256:5CB4335CB4360B0187AB868B7DADC7E4B45913B676786F2AC95D2C9044861646
                                                                          SHA-512:C5588770C7BF21F37912FB2616B9831718E74CCA0B7E63A0E95611C2F93E55B180189D700A4A3C50314FF07305EBD1294C5F84EFC38AC50D4F447D144D189F28
                                                                          Malicious:true
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C9..-j..-j..-j...j..-jp_.j..-j.9.j..-j.9.j..-j.9.j..-j...j..-j..,j..-j...j..-j...j..-jRich..-j........PE..L......Z.....................j.......4............@..........................@............@.................................L...................................."..................................@...@............................................text............................... ..`.rdata..............................@..@.data...`E..........................@....reloc.."+.......,..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\freebl3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):438784
                                                                          Entropy (8bit):6.663378126075105
                                                                          Encrypted:false
                                                                          SSDEEP:12288:u29xzXfvpHMCBkm/4ckvK18d7Xm+S9kMNOU2Eq+xqn6lIzn:u29xzXfvpHMCBkm/4ckvK18d7Xm+S9kT
                                                                          MD5:124AD66540633CB743122E2EA5D18C71
                                                                          SHA1:12635BB0D5BF3B5B3F0ED24F22055B1447778A3F
                                                                          SHA-256:1F0011826BD72DF4232F33A02A8697D4444570C06362B1BA8535E4A11279CFB9
                                                                          SHA-512:EE184653A4A30401DB5CA5753F93E1FF7914D0838FBFDC7DA880F1BE423B1C953F2A21FCA3224D83B2EE39589EC18A418994D001C7262DF0E11F13FE21138A70
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.v.....................s......s......s.t..........z[.........d...?Z.]...z[.....z[.....z[.....z[.....Rich....................PE..L...I..Z...........!.........................0...............................@............@......................... }..O....r..d.......0........................%...................................o..@............0...............................text............................... ..`.rdata..oM...0...N..................@..@.data....t...........j..............@....rsrc...0...........................@..@.reloc..d-..........................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\libnspr4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):310272
                                                                          Entropy (8bit):6.621497206632747
                                                                          Encrypted:false
                                                                          SSDEEP:6144:TT9KgQ9caedm0soS4mIEoDoh4zbkrTgmXzmphL9rXD5sCiO:TT9KgQPedm0soS4mIEocdrT9XyphL1XZ
                                                                          MD5:C954B7E9D500BADF4DD0A512A273F583
                                                                          SHA1:92738209568304FAAE048AF9FB2DD69257CAA1DE
                                                                          SHA-256:F3C8E39342F16CFCB2EC9ADB39D1CFF274165D1166FDF6917F8693E5C79B2257
                                                                          SHA-512:1072AC3AEE0227027C883D1BAD37217B858EF970DBA63D5F92FE9753D7AC26C18FCEA83E7CECACEA6B69A2DFE4C513E5252B96DAA05A88A133D55C10494BB515
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8j..|..C|..C|..C.ZCx..C..RCQ..C..PC`..C..SC...C|..C...C.|$Cw..C_.SC4..C..WC}..C..TC}..C..QC}..CRich|..C........................PE..L......Z...........!.........V...............................................0............@..........................=..P,...-..x...............................,1..........................x'......0'..@...............4............................text............................... ..`.rdata..............................@..@.data....V...p.......`..............@....tls.................z..............@....rsrc................|..............@..@.reloc..6;.......<..................@..B................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\libplc4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):61952
                                                                          Entropy (8bit):5.9623369659924
                                                                          Encrypted:false
                                                                          SSDEEP:1536:dW9TO0UhPa0Xqtr+RcCGK/sWjcdEPSCc:dW9L0zGKAEPSCc
                                                                          MD5:27B213629FC5B93C819ED03F17D027B5
                                                                          SHA1:D411238078DE7D2338395D74346272188DCD7569
                                                                          SHA-256:D2ED23112E0BC007319F44C0379513381F1FEEB6E82051588156A1AE18640902
                                                                          SHA-512:B3FB9A0D8744ED4C7D9A765FB0427461A805133ACC8D7857CDC358737EB06D2417E0F2FED9675E807597BC715E35CC5197A856BE06537BA54D8C14DA44F03AA7
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ....d.".......2......./.......w...F'..#... ...v....&......F'..!...F'..!...F'..!...Rich ...........................PE..L......Z...........!.....|...........1.......................................@............@.........................`...........<............................ ..........................................@...............(............................text....{.......|.................. ..`.rdata..<L.......N..................@..@.data...4,..........................@....rsrc...............................@..@.reloc..F.... ......................@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\libplds4.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):57856
                                                                          Entropy (8bit):5.864142896774992
                                                                          Encrypted:false
                                                                          SSDEEP:1536:QK2zRk5CDHri6Q4NgAhcd0sWjcdExNgTzfpK+:6BHW6Q4NW7ExNgTzfpN
                                                                          MD5:556C4D654D05A291D144C05A1FF1CD3A
                                                                          SHA1:2FB0718A88D93C9547A10CE8923C45EC1DD0550B
                                                                          SHA-256:7732A4F4B808DEA0E7FC98740D8FB4FA8EBFA7E2D9EFA693B1CE72981E075DDE
                                                                          SHA-512:E0BCC856111E7B60CA802A6226EFB45DBA6195E67D6A1927609C8CCFFF899EDDD4F694D7EFB1C18D175E9575D6080070D8EA750C69508FB7AC451EC6CA7601A0
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.A;c./hc./hc./h...ha./h...hq./h...hi./h...h4./h.+.h`./hc..h3./h@*.h`./h.+.hb./h.+.hb./h.+.hb./hRichc./h........PE..L......Z...........!.....p..........B%.......................................0............@.........................p...,...D...<.......................................................................@............................................text....o.......p.................. ..`.rdata...I.......J...t..............@..@.data...4,..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\nss3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):915456
                                                                          Entropy (8bit):6.409619510793422
                                                                          Encrypted:false
                                                                          SSDEEP:24576:GDgt3Iu9ER+2r2BCBt/x0Pq4CxFGTInIu4MSg:mgB52HWMSg
                                                                          MD5:86CBDC08307EC5A60D5DAE63F1BF7F1D
                                                                          SHA1:FE71CB33BB49CB7FEF943367D9ED9B7E7234D6B6
                                                                          SHA-256:C50FE83362D84714915A3D429E675F35562F02A0712697B761E57149760898CC
                                                                          SHA-512:6200F5766F95AA66FB6C54E2C00841839CFBF911FC716281D09CE283B25645919A83550FD90DA4C4631F424C6F5BDEEA21C7420524E4738B5A95C95A79BDF7A9
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^I...(...(...(..._ ..(....V.;(....T..(....W.`(..|.R..(...(..r)..9.W.(..|.S..(..|.P..(..|.U..(..Rich.(..........PE..L......Z...........!.....r...................................................p............@.........................`....i......x................................a..................................p...@...............D............................text....p.......r.................. ..`.rdata..G............v..............@..@.data...`E...........h..............@....rsrc...............................@..@.reloc..8p.......r..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\nssckbi.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):397824
                                                                          Entropy (8bit):6.85298728759357
                                                                          Encrypted:false
                                                                          SSDEEP:6144:SVfDnPf5QwOk8/H1rBHY4FFS5XVpLMTVaHAVIIYI4LBzCsu:SVfDnPhQPrBHY4HSLpqVIIYI4LBzBu
                                                                          MD5:659F25DD0FC41F0D756386AB45FA426B
                                                                          SHA1:C55246262CC066742C970E360D3661CA24BC62AD
                                                                          SHA-256:7957CCC254495C565F26391E0A81A527CED9BC1EB3DD7F1E1D3F99C3DBD18508
                                                                          SHA-512:9EC45B2DBDDE3B655B091C254FD9282C781C9D296417BEAF56EF3A3776F99389D3C9A5F5E11FB1E1E90B4463CEF230A0F6008CF3CC413D5664E8246C096CD4E2
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......X...X...X..,X...X.hZX...X.hXX...X.h[XV..Xg@^X...X...Xe..X"A[X...Xg@_X...Xg@\X...Xg@YX...XRich...X........PE..L......Z...........!.....@...................P...............................`............@.............................P....x..d............................ ...6...................................u..@............P..`............................text....?.......@.................. ..`.rdata..`1...P...2...D..............@..@.data...Tx.......Z...v..............@....rsrc...............................@..@.reloc...=... ...>..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\nssdbm3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):175104
                                                                          Entropy (8bit):6.380804511310592
                                                                          Encrypted:false
                                                                          SSDEEP:3072:uy+ViWjqFwR/IW3gpqCFEak9xXXlj967YuUWXEcKBMydTuoQ3UpqTItre14FodB:us/Q8pqp9xXXlpuqBoc0TQk
                                                                          MD5:32DD3C576D236577E9F23EE4D016C467
                                                                          SHA1:9A8B2DDAED3DB4E94FF607AD235BBA6698D8F2C7
                                                                          SHA-256:8D367AC7A3007789CB2006AA4CFB038BEBFF5D11F4C6F130DCB60B1496AC0BEE
                                                                          SHA-512:CB07D3C86C71BB500B612D6A09212B4FE255A27EAEA8E60ACC83CA318B3F9F5BAF608315598AD23B499CE4A900265DF071E7892A10C00FCFC3EC078E871D5B67
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.U.B.U.B.U.B...W.B..P..].B.6..I.B.6..D.B.6../.B.3...R.B.U.C...B.v...C.B.3...T.B.3...T.B.3...T.B.RichU.B.................PE..L...W..Z...........!................"n....... ............................................@.........................`}......,l..d.......8.......................H...................................hg..@............ ...............................text...6........................... ..`.rdata..g^... ...`..................@..@.data...$/...........r..............@....rsrc...8...........................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\nssutil3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):217088
                                                                          Entropy (8bit):6.551633114866076
                                                                          Encrypted:false
                                                                          SSDEEP:3072:zW2hMZf9HEyhtRU/U5YZndpTO7QO3dxINXgOwLhw84WxoRxz:qgQlETU5MMQYIHGi
                                                                          MD5:30E199190DCD45BA0D122FCD30C274BE
                                                                          SHA1:3DCFB388137475AA10C89433EE6BD46F511CDDE4
                                                                          SHA-256:50B0ADF97C13E3589B5A765564B05FA580E569DA69E3A9BD55E3B3B61EE46A41
                                                                          SHA-512:AF65B9B7128E0DA663D8057B39F11C004314A769C8FC4D75EA1E63544D25D1E08E1E926AB0366C290B4CC8DFC23A906C4EF7ADC2532B91ECF7B228BCAF74BB8F
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u1x.._+.._+.._+5c.+.._+W..+.._+8.+.._+8.+.._+8.+_._+...+.._+..^+Y._+...+.._+...+.._+...+.._+...+.._+Rich.._+................PE..L...;..Z...........!.........z............................................................@......................... ...8.......d....p..............................................................P...@............................................text...]........................... ..`.rdata..X...........................@..@.data....:...0......................@....rsrc........p.......$..............@..@.reloc..:&.......(...(..............@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\smime3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):149504
                                                                          Entropy (8bit):6.209364843209916
                                                                          Encrypted:false
                                                                          SSDEEP:3072:C56aJqLAr7FkF0MrztzsWb1nnbooLGl4AK3vZUsgBHY3P3f4PlQkDHbzisttdzhh:q6aZkFHtzsWb1nnboWG8vL3P3gPGy9PX
                                                                          MD5:022B6FB51D33F9A076329D7A91B40620
                                                                          SHA1:11E964F14883D961ED462ED99990AE40D127EC87
                                                                          SHA-256:666421A0F6F87DFD72F8D1A68A95417709D7ADB47A3F91907EC3686108A6F38B
                                                                          SHA-512:B947DCDD32D0A5AFB0E4F8F9505C4ACDFE16EA7DD6CAE2B9C511F24ED9B88CC1513E39C21FFD454BC42D9CF26B78BFD332D98859C636C242B223D6C6BC1C7D44
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*`>YK.mYK.mYK.m.<.m[K.m...mKK.m...mUK.m...m.K.m?..mRK.mYK.mCJ.mz..m}K.m?..mXK.m?..mXK.m?..mXK.mRichYK.m........................PE..L......Z...........!.....~..........f3....................................................@..........................................`.......................p..........................................@...............8............................text....}.......~.................. ..`.rdata..............................@..@.data...4....0......................@....rsrc........`.......(..............@..@.reloc..>....p.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\softokn3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):219648
                                                                          Entropy (8bit):6.348174231200735
                                                                          Encrypted:false
                                                                          SSDEEP:6144:bBDa8PtdxEWGT1isGfjyxDui2B1dFkYus:bBpPCWG8mxii2zdd
                                                                          MD5:485AA9DC1D332EF1A9DC31F19A526F82
                                                                          SHA1:FF19B3E0A4B379EA4B39075946DA2148859D8ADE
                                                                          SHA-256:BC85490155DAA4C31A2D39447B477A4E442AF47EC83939BD37353857B44C4899
                                                                          SHA-512:62699CB8F889F7D05EC36A6E57685C2A66110096BA97A949911441C3F7AC3BD100BF306C840AE96C883CD03970CEA012DBACA884246F8E6778F3664E9CABC2AF
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..1..1..1....R.3..',.0...A$.+...A&.:...A%.P..Wi .:..1.....h%."..Wi!.0..Wi".0..Wi'.0..Rich1..........................PE..L...T..Z...........!.................-....................................................@.........................@*......T........`..8....................p...!......................................@............................................text.............................. ..`.rdata.............................@..@.data...\/...0......................@....rsrc...8....`.......*..............@..@.reloc...+...p...,..................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nss\sqlite3.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):617472
                                                                          Entropy (8bit):6.659091537520531
                                                                          Encrypted:false
                                                                          SSDEEP:12288:yyWvcxz3CO9uerS8bf5+yNejUogPr4faWAIhZxsvcI0z+UYOxVJEQU:yyWvQ3CO9uevQvfgPr4fa5cZU/0CO8
                                                                          MD5:6AC28CF170907BA16B68BD39EE86BC29
                                                                          SHA1:8F528C24F39E7EF708EEDFBFD657B026053711F8
                                                                          SHA-256:90645044AFE1C79ECC8877CF9C79414916E1EBD94EBC8714CB68AE34BD89A6A3
                                                                          SHA-512:C59EEAC9E5AF7CED0510B9C13131EE4C848283A484104F1681F6264701FDEF2512C2913AFCA68600FF0DC6E9E114BF8DDE50217A6AE0E360BFFF2FC7F81EE4BA
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................`.X....m......m.,....m./.....!/..... +..... -....Rich....................PE..L...M..Z...........!.........v.......}.......0............................................@.................................t...(............................p..l@......................................@............0...............................text............................... ..`.rdata.......0......................@..@.data....F... ...$..................@....reloc...G...p...H...$..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1601024
                                                                          Entropy (8bit):6.582945039794064
                                                                          Encrypted:false
                                                                          SSDEEP:49152:aDxD+hCoVj+4naaTcdpb12IhjmEpWp2f:aditVjNnaag/b1Th
                                                                          MD5:64F8F960D535AA6200E620C1DEF292FB
                                                                          SHA1:5256DCD40F1538BCA829734CA8EBCA461DD95694
                                                                          SHA-256:2589E277BB9FA363873ABB842EEE89BC1CBEAE2B2AEECE18FAFEA056103B1745
                                                                          SHA-512:521859840737108D9E8C7FAC054D44379695C064B3FC65DD554E3C7D1F6114D0FB3D057260CDA67EEF9EAC80C88AA3C32145CF6E79EA8FA7FE74EB6ACA46A6C4
                                                                          Malicious:true
                                                                          Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........Yq..8..8..8..Ya..8......8..a...8..@..8..+f..8.."...8..f..8..f..8..f..8..f..8..a...8..a...8..8..:..+f..8...f..8..+f..8..Rich.8..........................PE..L....Z.e.................@...................P....@..........................p............@.................................x....................................m...m..p....................n......Pn..@............P..D............................text...P?.......@.................. ..`.rdata..hg...P...h...D..............@..@.data............N..................@....tls................................@....gfids..t...........................@..@.rsrc...............................@..@.reloc...m.......n..................@..B........................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\post_install.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):204800
                                                                          Entropy (8bit):6.471361326454725
                                                                          Encrypted:false
                                                                          SSDEEP:3072:e9fer0Fdxwe2aN8PqghdFat9e92H0+naS+v0523c4oGOOWt:B0FdxIqghdFat9e9U0+nOvh3cSOOq
                                                                          MD5:52A76696B447635922D8EC87D0DA7FEE
                                                                          SHA1:2754B27A4576370C33A3962137E6BFFD7717FEAC
                                                                          SHA-256:DA96B594A132F2983494EA66CA8E683FCE4BBC8AFAF46E5F93D79592BCC6CC75
                                                                          SHA-512:E2C8E6A1B3D66BD0D98FBC22DAA42DC3EB943C7A0DBCB0F9B4F4144C5DEF06B698B6A9378D886359904D46448A1CA5104C4EBA32EFC2B83D0C6C765BC63EC3DD
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................y.......................ZL:...ZL!.....................}.........Rich....................PE..L...4].e.....................................0....@..........................`............@.................................(...h............................0...$......p..........................p...@............0...............................text............................... ..`.rdata..R....0......."..............@..@.data...............................@....gfids..t...........................@..@.tls................................@....rsrc...............................@..@.reloc...$...0...&..................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):12700672
                                                                          Entropy (8bit):6.9672580308000205
                                                                          Encrypted:false
                                                                          SSDEEP:196608:lwKioTfB+Hlj1bsOkKSt9xZI8wFf112MrobUXzvsIRrl:lBBBCbsOQt9xZI8wFf1Z8tIJl
                                                                          MD5:51C85EA158A27F0BE6D020D7524BE8AC
                                                                          SHA1:84DFC155635FE83C0C742B3045784C87A89E5F84
                                                                          SHA-256:4D2AA7200F4DB66770FCD5D087925F745A6BDF225F1FF55A017DF54AF7140294
                                                                          SHA-512:E8F3424E5C1898838CF686B1D917B2B9253B41B176FD5C53E31FE9E0A7C9B4B3583BA2B53C0BEC84FCEA43B17C5B99A509AD472116E1274B729469B03E05A4F9
                                                                          Malicious:false
                                                                          Yara Hits:
                                                                          • Rule: Windows_Ransomware_Hellokitty_d9391a1a, Description: unknown, Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, Author: unknown
                                                                          • Rule: Windows_Ransomware_Hellokitty_d9391a1a, Description: unknown, Source: C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll, Author: unknown
                                                                          Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........\.\.=i..=i..=i.Fdl..=i..E...=i.=....=i..cj..=i..cm..=i..ch..=i......=i.4cm..=i.~...=i..cl..=i.4ch..=i.~...=i.~...=i.~...=i..=h..9i.4c`..?i.4ci..=i.1c...=i..=...=i.4ck..=i.Rich.=i.................PE..L...H\.e...........!......}..$N......|Z...... }...........................................@.............................L...,..p.... ..`.(......................s...V..p...................\W.......W..@............ }..............................text.....}.......}................. ..`.rdata...R... }..T....}.............@..@.data...du...........^..............@....gfids..h............r..............@..@.tls.................t..............@....rsrc...`.(.. ....(..v..............@..@.reloc...s.......t...X..............@..B................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):137216
                                                                          Entropy (8bit):6.59221818170857
                                                                          Encrypted:false
                                                                          SSDEEP:1536:KBw6F6OpjWpsm9l19z+VZJK0bI1CCd2woq77cBbShJeeOACGsk60aMGGOoTS4Z3x:svFE1l+rJKVDK2ekaQO5uguGho
                                                                          MD5:3135A7FEE1AD484104A1309104312D9E
                                                                          SHA1:85F7C56D52F6E3EC08BE8F985E682F5F34703ECF
                                                                          SHA-256:1286B65FE6590F43875469A4CFD4F4E21768AB87EBE8A3A31FDAD58E73E4A561
                                                                          SHA-512:05D113FF8625560EDB355FB93419328A8055ACD8F21CBE56363BEB85A3D3C8A1B3D2686B8A18F8BDF99963F32BBC3E000EE81936CF9DCFF8054D6628D2324B86
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.f...5...5...5.im5...5.O.4...5.O.4...5.O.4...5<.05...5.O.4...5<..5...5<.55...5...5...5vO.4...5sO.5...5vO.4...5Rich...5................PE..L...AZ.e.................d...........C............@..........................p............@.....................................T....@.......................P..........p...........................0...@...............d............................text...&b.......d.................. ..`.rdata..:............h..............@..@.data...8...........................@....gfids..p.... ......................@..@.tls.........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\svcAppLookup.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):6077952
                                                                          Entropy (8bit):6.615630742155116
                                                                          Encrypted:false
                                                                          SSDEEP:98304:KYjEcSNV5+O7gLGvz+/gO9v/wh34Bm06kv33E5MsyEEKDCOr6AXRQP:KYjED4GL+/gO9v/wh31qMM5EEA
                                                                          MD5:77FAD01911F74D654E84C632BCE277BE
                                                                          SHA1:C36318140F45AB98AFB17A3AB0E3805C0531AB4F
                                                                          SHA-256:811C4E3A77FC525C0E56A64DD587334DEAD86C8F5C7EC9F15639217BF349A381
                                                                          SHA-512:CA446F4D469449D57B935970154224373A7FF27CCB6561673919C1A428B962919B2CAC733B9F739B96FB4B5B548479961A405D08341ABCBBDFD03E838B235450
                                                                          Malicious:false
                                                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........t.V.............m#.....CL......1K.......K......8.w......K.......K......{.a.....1K.......K......{.~.....{.`.....{.{.............1K..R...1K......4KO.....1K......Rich....................PE..L...#].e...........!.....:N.........^.5......PN...............................c...........@...........................S.T...d.S.l.....Z.......................Z.@....+Q.p....................+Q.....p+Q.@............PN..............................text...08N......:N................. ..`.rdata...p...PN..r...>N.............@..@.data.........S..T....S.............@....gfids..h.....Z.......T.............@..@.tls..........Z.......T.............@....rsrc.........Z.......T.............@..@.reloc..@.....Z.......T.............@..B................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):610816
                                                                          Entropy (8bit):6.741602893603179
                                                                          Encrypted:false
                                                                          SSDEEP:12288:j6u2Y3jkg7hVtdjBDhiQsZCt4O9UUjS/dKIOb:nLIAV7BDHwCt4OqUju
                                                                          MD5:794122A33A390FF07CA891B568110D10
                                                                          SHA1:2B9FC5468973B0362AA2E6C564B80E267F96CCA1
                                                                          SHA-256:E210AACEC16E781DE0025D052198F8FCB7458E94C4CE3B018FCF9CCDFC42F88C
                                                                          SHA-512:9E2E9DDE79BC85C2E06F98E2508FC61EC37F377DFD28A8C97DCEE222EA78EB25C94409B9B307AE98C1AD4D448C38313E3580CEA42098B312085C7916B1695511
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.k....................7.......7.......7.......7...(....d.......d..................0...........................Rich............................PE..L....Z.e.........................................@.......................................@.....................................h....`.......................p..dE......p...................\...........@...............D............................text............................... ..`.rdata...%.......&..................@..@.data.... ..........................@....gfids..t....@......................@..@.tls.........P......................@....rsrc........`......................@..@.reloc..dE...p...F..................@..B........................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):84992
                                                                          Entropy (8bit):6.233845038179117
                                                                          Encrypted:false
                                                                          SSDEEP:1536:Adh0y/0bo0Tgd42zPUCK6mjsjDBgp7xW9k9vg7GyreZ/MW/qcS:Ag00bo0QPTmg/4WKvIjreqWBS
                                                                          MD5:E53E0020D7FE34B1E8F75AF444E64C72
                                                                          SHA1:9BDDDA2B776F37A3E685589F7C0212D6974F73DE
                                                                          SHA-256:D2B69BD0CAF49DDD0DB51B92990FE88DF8097FC85E22F1DE408B4C905997AED4
                                                                          SHA-512:90E4B3B424CF36921069EB112A8A35ECC03995CAE04D49B07E24D218DD1528BB7304A9A2A0334C58B2C28F098F38A278418CB7BB65CA57A3FC4BF6AFB4698681
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..[].}[].}[].}R%.}O].}`..|R].}`..|V].}`..|_].}`..|.].}..Z}Z].}..A}H].}[].}i\.}...|J].}..u}Z].}...|Z].}Rich[].}........PE..L....Z.e.....................b......:.............@.......................................@.................................t2..,....p..............................@...p...............................@............................................text............................... ..`.rdata..r?.......@..................@..@.data........@.......0..............@....gfids..t....P.......4..............@..@.tls.........`.......6..............@....rsrc........p.......8..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\configurations.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):3920
                                                                          Entropy (8bit):7.948224416130811
                                                                          Encrypted:false
                                                                          SSDEEP:96:C5n4zBDEo17hoeYkmElrYsF7Zf7W+h6d/bDgcYohEWgctH:C5n4FDJhoHAb71C/dYcphbPtH
                                                                          MD5:F8927576A49A96D59413C1BC6ED58A33
                                                                          SHA1:BF961F9797E3A2D4165F39438858CB896F413A46
                                                                          SHA-256:B625A8694B4E4D3E360BD153C30DE8851567187F179E988B077AE6F36D2DF5CC
                                                                          SHA-512:2337FDDD87B4F94E2FF265C8EA32ACF9E9103FCF263E4D5F0DFFD08DC5329CEC16332EA93F8E796D29E19DAAF933DF6FAECE73C191D0CB92261FB29B5516CFCB
                                                                          Malicious:false
                                                                          Preview:..H..U.F|.\..5.\<....0.d...b>..C..P...7Tw...lc.......f_9h|k..)?...n..H`4...*.pPti..d*..e..Xm......+e....`.ct...rp.,q3.5i.._..c.j....w0..25.:.x.9..E<:D.].Maa.....Bf...n&......J..k...@E.JA.....T..m..K.......2..1.....I0.6r.K...fX.+..g..s......F..B.....p.z$..ru..d....WY.V....\.....G.....j..5S..`.m.u.F.,....k......L....R..\.."..?R..z...._[....L.@+..........g....,.RT0....|oD..U...e..Ed.>....h.u$...n.-..h.........xU;./g.p.......U.S....-..L...y..O.K..<#._j4U.{x....0T.....gS.......i.L.B.SE.|.s.......DU-....p.1.3|jB.e..K._.OG..D.......u\...D...:..J...x-...D...Jl. .im.hz.....L.,.{.(.SG..(.k.}(cZ..z....C.Sf......0..2{4.....3......7..'...0.5,."Woc=`.Y.3..Rn5.S.`..fx..I_d.|V!w3.u..K..B......0...fT..c.....U...r.....z`.. ..I ...1..Wu2..;..(>..@..f...f.#..)..2........|.).....3u.d...&........:..X...~...l.(..._.;zf.Y...p...d.Ct....e......].u...5j.?.3..2.y2.Er.Y?....f.i.J..Xo.TA%O.6.}.....7.....&.6]Fy&<....9..O..\..g@_...8u..p...1h.n.....

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\get_drop_files.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):19968
                                                                          Entropy (8bit):5.975015207564095
                                                                          Encrypted:false
                                                                          SSDEEP:384:mKT7wkXtiJRLmal+FI+MprHBjKgfjHkO2kvnpfIvfTYb72f8pevb:xxOJ1BkgfbkYPpAva7M8sT
                                                                          MD5:5285E941C30D582AD49228CF7D476464
                                                                          SHA1:C428E253EFF240C101655D128B3684828354006A
                                                                          SHA-256:C010FA2AAB01EC7DB6830B23A8E542F138BD2D16C6F2C532CEC29DF7C3B31DF4
                                                                          SHA-512:BB9F3932E72705BF793161BC28822A9B9A1251E521CD3C1A6018AC68EFC822CA3E2AE5402D46BBB0A27F6DBD2961C71A1A3992FFD59C5DDE1797619E63BB5929
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rf..6..W6..W6..W?.OW&..W.Y.V4..W.Y.V7..W.Y.V;..W.Y.V2..W.Y.V...W...W1..W6..W@..W.Y.V2..W.Y#W7..W.Y.V7..WRich6..W........................PE..L...5Z.e.................*...$.......,.......@....@.......................................@..................................L.......................................C..p...........................pC..@............@..8............................text....).......*.................. ..`.rdata.......@......................@..@.data...<....`.......D..............@....gfids..T....p.......F..............@..@.rsrc................H..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\nt_system_service.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1601024
                                                                          Entropy (8bit):6.582945039794064
                                                                          Encrypted:false
                                                                          SSDEEP:49152:aDxD+hCoVj+4naaTcdpb12IhjmEpWp2f:aditVjNnaag/b1Th
                                                                          MD5:64F8F960D535AA6200E620C1DEF292FB
                                                                          SHA1:5256DCD40F1538BCA829734CA8EBCA461DD95694
                                                                          SHA-256:2589E277BB9FA363873ABB842EEE89BC1CBEAE2B2AEECE18FAFEA056103B1745
                                                                          SHA-512:521859840737108D9E8C7FAC054D44379695C064B3FC65DD554E3C7D1F6114D0FB3D057260CDA67EEF9EAC80C88AA3C32145CF6E79EA8FA7FE74EB6ACA46A6C4
                                                                          Malicious:false
                                                                          Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........Yq..8..8..8..Ya..8......8..a...8..@..8..+f..8.."...8..f..8..f..8..f..8..f..8..a...8..a...8..8..:..+f..8...f..8..+f..8..Rich.8..........................PE..L....Z.e.................@...................P....@..........................p............@.................................x....................................m...m..p....................n......Pn..@............P..D............................text...P?.......@.................. ..`.rdata..hg...P...h...D..............@..@.data............N..................@....tls................................@....gfids..t...........................@..@.rsrc...............................@..@.reloc...m.......n..................@..B........................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):12700672
                                                                          Entropy (8bit):6.9672580308000205
                                                                          Encrypted:false
                                                                          SSDEEP:196608:lwKioTfB+Hlj1bsOkKSt9xZI8wFf112MrobUXzvsIRrl:lBBBCbsOQt9xZI8wFf1Z8tIJl
                                                                          MD5:51C85EA158A27F0BE6D020D7524BE8AC
                                                                          SHA1:84DFC155635FE83C0C742B3045784C87A89E5F84
                                                                          SHA-256:4D2AA7200F4DB66770FCD5D087925F745A6BDF225F1FF55A017DF54AF7140294
                                                                          SHA-512:E8F3424E5C1898838CF686B1D917B2B9253B41B176FD5C53E31FE9E0A7C9B4B3583BA2B53C0BEC84FCEA43B17C5B99A509AD472116E1274B729469B03E05A4F9
                                                                          Malicious:false
                                                                          Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........\.\.=i..=i..=i.Fdl..=i..E...=i.=....=i..cj..=i..cm..=i..ch..=i......=i.4cm..=i.~...=i..cl..=i.4ch..=i.~...=i.~...=i.~...=i..=h..9i.4c`..?i.4ci..=i.1c...=i..=...=i.4ck..=i.Rich.=i.................PE..L...H\.e...........!......}..$N......|Z...... }...........................................@.............................L...,..p.... ..`.(......................s...V..p...................\W.......W..@............ }..............................text.....}.......}................. ..`.rdata...R... }..T....}.............@..@.data...du...........^..............@....gfids..h............r..............@..@.tls.................t..............@....rsrc...`.(.. ....(..v..............@..@.reloc...s.......t...X..............@..B................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\svcAppInit.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):137216
                                                                          Entropy (8bit):6.59221818170857
                                                                          Encrypted:false
                                                                          SSDEEP:1536:KBw6F6OpjWpsm9l19z+VZJK0bI1CCd2woq77cBbShJeeOACGsk60aMGGOoTS4Z3x:svFE1l+rJKVDK2ekaQO5uguGho
                                                                          MD5:3135A7FEE1AD484104A1309104312D9E
                                                                          SHA1:85F7C56D52F6E3EC08BE8F985E682F5F34703ECF
                                                                          SHA-256:1286B65FE6590F43875469A4CFD4F4E21768AB87EBE8A3A31FDAD58E73E4A561
                                                                          SHA-512:05D113FF8625560EDB355FB93419328A8055ACD8F21CBE56363BEB85A3D3C8A1B3D2686B8A18F8BDF99963F32BBC3E000EE81936CF9DCFF8054D6628D2324B86
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.f...5...5...5.im5...5.O.4...5.O.4...5.O.4...5<.05...5.O.4...5<..5...5<.55...5...5...5vO.4...5sO.5...5vO.4...5Rich...5................PE..L...AZ.e.................d...........C............@..........................p............@.....................................T....@.......................P..........p...........................0...@...............d............................text...&b.......d.................. ..`.rdata..:............h..............@..@.data...8...........................@....gfids..p.... ......................@..@.tls.........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):6077952
                                                                          Entropy (8bit):6.615630742155116
                                                                          Encrypted:false
                                                                          SSDEEP:98304:KYjEcSNV5+O7gLGvz+/gO9v/wh34Bm06kv33E5MsyEEKDCOr6AXRQP:KYjED4GL+/gO9v/wh31qMM5EEA
                                                                          MD5:77FAD01911F74D654E84C632BCE277BE
                                                                          SHA1:C36318140F45AB98AFB17A3AB0E3805C0531AB4F
                                                                          SHA-256:811C4E3A77FC525C0E56A64DD587334DEAD86C8F5C7EC9F15639217BF349A381
                                                                          SHA-512:CA446F4D469449D57B935970154224373A7FF27CCB6561673919C1A428B962919B2CAC733B9F739B96FB4B5B548479961A405D08341ABCBBDFD03E838B235450
                                                                          Malicious:false
                                                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........t.V.............m#.....CL......1K.......K......8.w......K.......K......{.a.....1K.......K......{.~.....{.`.....{.{.............1K..R...1K......4KO.....1K......Rich....................PE..L...#].e...........!.....:N.........^.5......PN...............................c...........@...........................S.T...d.S.l.....Z.......................Z.@....+Q.p....................+Q.....p+Q.@............PN..............................text...08N......:N................. ..`.rdata...p...PN..r...>N.............@..@.data.........S..T....S.............@....gfids..h.....Z.......T.............@..@.tls..........Z.......T.............@....rsrc.........Z.......T.............@..@.reloc..@.....Z.......T.............@..B................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\svcAppLookup.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):610816
                                                                          Entropy (8bit):6.741602893603179
                                                                          Encrypted:false
                                                                          SSDEEP:12288:j6u2Y3jkg7hVtdjBDhiQsZCt4O9UUjS/dKIOb:nLIAV7BDHwCt4OqUju
                                                                          MD5:794122A33A390FF07CA891B568110D10
                                                                          SHA1:2B9FC5468973B0362AA2E6C564B80E267F96CCA1
                                                                          SHA-256:E210AACEC16E781DE0025D052198F8FCB7458E94C4CE3B018FCF9CCDFC42F88C
                                                                          SHA-512:9E2E9DDE79BC85C2E06F98E2508FC61EC37F377DFD28A8C97DCEE222EA78EB25C94409B9B307AE98C1AD4D448C38313E3580CEA42098B312085C7916B1695511
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.k....................7.......7.......7.......7...(....d.......d..................0...........................Rich............................PE..L....Z.e.........................................@.......................................@.....................................h....`.......................p..dE......p...................\...........@...............D............................text............................... ..`.rdata...%.......&..................@..@.data.... ..........................@....gfids..t....@......................@..@.tls.........P......................@....rsrc........`......................@..@.reloc..dE...p...F..................@..B........................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\svcAppUpdate.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):84992
                                                                          Entropy (8bit):6.233845038179117
                                                                          Encrypted:false
                                                                          SSDEEP:1536:Adh0y/0bo0Tgd42zPUCK6mjsjDBgp7xW9k9vg7GyreZ/MW/qcS:Ag00bo0QPTmg/4WKvIjreqWBS
                                                                          MD5:E53E0020D7FE34B1E8F75AF444E64C72
                                                                          SHA1:9BDDDA2B776F37A3E685589F7C0212D6974F73DE
                                                                          SHA-256:D2B69BD0CAF49DDD0DB51B92990FE88DF8097FC85E22F1DE408B4C905997AED4
                                                                          SHA-512:90E4B3B424CF36921069EB112A8A35ECC03995CAE04D49B07E24D218DD1528BB7304A9A2A0334C58B2C28F098F38A278418CB7BB65CA57A3FC4BF6AFB4698681
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..[].}[].}[].}R%.}O].}`..|R].}`..|V].}`..|_].}`..|.].}..Z}Z].}..A}H].}[].}i\.}...|J].}..u}Z].}...|Z].}Rich[].}........PE..L....Z.e.....................b......:.............@.......................................@.................................t2..,....p..............................@...p...............................@............................................text............................... ..`.rdata..r?.......@..................@..@.data........@.......0..............@....gfids..t....P.......4..............@..@.tls.........`.......6..............@....rsrc........p.......8..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\uninstall.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):167424
                                                                          Entropy (8bit):6.6317291634787745
                                                                          Encrypted:false
                                                                          SSDEEP:3072:1ym6xTu/TTpx6mc/ehGKIb4AyNeEhJYK+4Rtqt5pJtltDqF:56xTu/TTFc/ei6eEhJYK9tqJJbA
                                                                          MD5:8F6EBE75FC854863F171EA75F99F84BD
                                                                          SHA1:75256941E44751A0F54C06ACA825665EBA58299E
                                                                          SHA-256:EDBD44A16173A41216AAD9CCD3E31116EA3C9FF90AF68B6D434F932CB86D8E01
                                                                          SHA-512:1B057962DF36242983F3D33600E05B886BDB854DCF0ADA3B429D931B4A775984E66DC7082E9AB0B9BA747EE8D9F7C3A83FF398300415B0C134DC6C40C2539A1E
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.c.&.0.&.0.&.0.^E0.&.0+..0.&.0.x.1.&.0.x.1.&.0.x.1.&.0h..0.&.0h..0.&.0.&.0.'.0.x.1.&.0h..0.&.0"x.1.&.0'x)0.&.0"x.1.&.0Rich.&.0........................PE..L...eZ.e..........................................@.......................................@..................................d..|...............................(....8..p....................9......P9..@............................................text............................... ..`.rdata..............................@..@.data...@............f..............@....gfids..p............j..............@..@.tls.................l..............@....rsrc................n..............@..@.reloc..(............p..............@..B................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\version.txt

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):6
                                                                          Entropy (8bit):1.9182958340544893
                                                                          Encrypted:false
                                                                          SSDEEP:3:3jF:J
                                                                          MD5:DF4F0F1534FAA418D6185F67DAA63A7B
                                                                          SHA1:D1501DEAE95507919B30F2ADFA13EE822464CC92
                                                                          SHA-256:3CFDEC96C972680CABF7829616A54508CABCFC4FBF80AB160DCAD001322AF69F
                                                                          SHA-512:CF5493D53B591941C1123BF347DDDFC123196A94EB6B1685E32D37BF42FBBEAA8619AF5A6F73F0E1216951856C0C73D97F0DF221020EDC3F27E9CCCC424DEE62
                                                                          Malicious:false
                                                                          Preview:2.6.2

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\windows_hook.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):544768
                                                                          Entropy (8bit):5.394993462138102
                                                                          Encrypted:false
                                                                          SSDEEP:6144:quo4fjUUZS4GlwkWXyKdynaktvEVAVurQWtjfPG4xxm5GCKIBFmgZOetzs8ww:1ZfjGwkrnakaKluPG4/moPyxZZ2w
                                                                          MD5:3888783120F2A5AE2B9C6F5ADD3143A9
                                                                          SHA1:7B846A34121A3987E3D50D2E1146374D42B695E7
                                                                          SHA-256:5314C3C1570595785D58D93287FCCB77B58D94F90888EFACDB3681934C9262F3
                                                                          SHA-512:E4AA3359EBCD1C8B146DDABB07909D945F58F40803C83EA36F8FB3579091644E5C04BEAE928A0E115ED9B1D2D9A9315F6F85E915FE9FDE7FCD6CAAB084252B2A
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M..M..M..5G..M......M.%...M.....M.....M.....M.....M......M......M..M.NL.W...M.W...M.R.+..M.W...M.Rich.M.........PE..L....Y.e...........!.................F....................................................@.................................P........@.......................P..pN..`...T...............................@............................................text............................... ..`.rdata..............................@..@.data...Hc.......X..................@....gfids..h.... ......................@..@.tls.........0......................@....rsrc........@......................@..@.reloc..pN...P...P..................@..B........................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\temp\windows_hook_64.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1059328
                                                                          Entropy (8bit):5.653709882921514
                                                                          Encrypted:false
                                                                          SSDEEP:12288:ZpfNRbih34rFQYU6cSKReEl403Mhxet1/eowkUsbgkw7:5RsKQY7wpl4/hxet1/e9kRI
                                                                          MD5:D122FE3F4BCAC3809242188DD46ED421
                                                                          SHA1:5DEAFB82E8B321BF5B85EFC7B11646A632E796CF
                                                                          SHA-256:51605EBA94DBE992BA119DB2FA026323203EDF3E562FD608FFD41450CBA25DFC
                                                                          SHA-512:F59A16DC13854816B8FC0B899CFCBBC5C1E8B3D5421F105A542E28DE145354C59EADA1F5BE0155A02D93C3C44D36722DA29790922A2A25801336CDB76B597683
                                                                          Malicious:false
                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......-.."i..qi..qi..q.@.qd..q.@.q...q.@.qr..q.#2qh..q...pk..qR..pa..qR..p...qR..pA..q.#,qm..q.#)qr..qi..q=..q...p9..q...ph..q...qh..q...ph..qRichi..q........................PE..d.../Z.e.........." .....@................................................................`..........................................................p..........................0....1..T....................2..(...02...............P...............................text....>.......@.................. ..`.rdata...e...P...f...D..............@..@.data...h...........................@....pdata...............|..............@..@.gfids.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..0...........................@..B........................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\uninstall.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):167424
                                                                          Entropy (8bit):6.6317291634787745
                                                                          Encrypted:false
                                                                          SSDEEP:3072:1ym6xTu/TTpx6mc/ehGKIb4AyNeEhJYK+4Rtqt5pJtltDqF:56xTu/TTFc/ei6eEhJYK9tqJJbA
                                                                          MD5:8F6EBE75FC854863F171EA75F99F84BD
                                                                          SHA1:75256941E44751A0F54C06ACA825665EBA58299E
                                                                          SHA-256:EDBD44A16173A41216AAD9CCD3E31116EA3C9FF90AF68B6D434F932CB86D8E01
                                                                          SHA-512:1B057962DF36242983F3D33600E05B886BDB854DCF0ADA3B429D931B4A775984E66DC7082E9AB0B9BA747EE8D9F7C3A83FF398300415B0C134DC6C40C2539A1E
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.c.&.0.&.0.&.0.^E0.&.0+..0.&.0.x.1.&.0.x.1.&.0.x.1.&.0h..0.&.0h..0.&.0.&.0.'.0.x.1.&.0h..0.&.0"x.1.&.0'x)0.&.0"x.1.&.0Rich.&.0........................PE..L...eZ.e..........................................@.......................................@..................................d..|...............................(....8..p....................9......P9..@............................................text............................... ..`.rdata..............................@..@.data...@............f..............@....gfids..p............j..............@..@.tls.................l..............@....rsrc................n..............@..@.reloc..(............p..............@..B................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\windows_hook.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):544768
                                                                          Entropy (8bit):5.394993462138102
                                                                          Encrypted:false
                                                                          SSDEEP:6144:quo4fjUUZS4GlwkWXyKdynaktvEVAVurQWtjfPG4xxm5GCKIBFmgZOetzs8ww:1ZfjGwkrnakaKluPG4/moPyxZZ2w
                                                                          MD5:3888783120F2A5AE2B9C6F5ADD3143A9
                                                                          SHA1:7B846A34121A3987E3D50D2E1146374D42B695E7
                                                                          SHA-256:5314C3C1570595785D58D93287FCCB77B58D94F90888EFACDB3681934C9262F3
                                                                          SHA-512:E4AA3359EBCD1C8B146DDABB07909D945F58F40803C83EA36F8FB3579091644E5C04BEAE928A0E115ED9B1D2D9A9315F6F85E915FE9FDE7FCD6CAAB084252B2A
                                                                          Malicious:true
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M..M..M..5G..M......M.%...M.....M.....M.....M.....M......M......M..M.NL.W...M.W...M.R.+..M.W...M.Rich.M.........PE..L....Y.e...........!.................F....................................................@.................................P........@.......................P..pN..`...T...............................@............................................text............................... ..`.rdata..............................@..@.data...Hc.......X..................@....gfids..h.... ......................@..@.tls.........0......................@....rsrc........@......................@..@.reloc..pN...P...P..................@..B........................................................................................................................................................................................................

                                                                          C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1059328
                                                                          Entropy (8bit):5.653709882921514
                                                                          Encrypted:false
                                                                          SSDEEP:12288:ZpfNRbih34rFQYU6cSKReEl403Mhxet1/eowkUsbgkw7:5RsKQY7wpl4/hxet1/e9kRI
                                                                          MD5:D122FE3F4BCAC3809242188DD46ED421
                                                                          SHA1:5DEAFB82E8B321BF5B85EFC7B11646A632E796CF
                                                                          SHA-256:51605EBA94DBE992BA119DB2FA026323203EDF3E562FD608FFD41450CBA25DFC
                                                                          SHA-512:F59A16DC13854816B8FC0B899CFCBBC5C1E8B3D5421F105A542E28DE145354C59EADA1F5BE0155A02D93C3C44D36722DA29790922A2A25801336CDB76B597683
                                                                          Malicious:true
                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......-.."i..qi..qi..q.@.qd..q.@.q...q.@.qr..q.#2qh..q...pk..qR..pa..qR..p...qR..pA..q.#,qm..q.#)qr..qi..q=..q...p9..q...ph..q...qh..q...ph..qRichi..q........................PE..d.../Z.e.........." .....@................................................................`..........................................................p..........................0....1..T....................2..(...02...............P...............................text....>.......@.................. ..`.rdata...e...P...f...D..............@..@.data...h...........................@....pdata...............|..............@..@.gfids.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..0...........................@..B........................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\nsmE645.tmp\System.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):11776
                                                                          Entropy (8bit):5.854901984552606
                                                                          Encrypted:false
                                                                          SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                                                          MD5:0063D48AFE5A0CDC02833145667B6641
                                                                          SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                                                          SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                                                          SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 9, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 9
                                                                          Category:modified
                                                                          Size (bytes):229376
                                                                          Entropy (8bit):0.7256748281262911
                                                                          Encrypted:false
                                                                          SSDEEP:384:S71zkVmvQhyn+Zoz67sU8an6Gp1ZMMTNlH333JqN8j/LKXAdO8596uv:S7wM0sCye
                                                                          MD5:F9C2C55CDC6351B4A8055396AFEAFC84
                                                                          SHA1:991B2BCA17D7A6706A41740A27C3998A707283FD
                                                                          SHA-256:9323955796CC783D33ED83A7E274980DEAB9351ACF245A10D5756423F3CDFFA2
                                                                          SHA-512:8AFF829C643499D3A2F5CDF4B620501DB842503ED6D2203159DA620F0926AED7F071EC6785A4195D45627FEFA0EB0979865FC55E80418C883B9112C4AF0D7250
                                                                          Malicious:true
                                                                          Preview:SQLite format 3......@ .........................................................................-.......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):229944
                                                                          Entropy (8bit):0.71297226091747
                                                                          Encrypted:false
                                                                          SSDEEP:384:7I6ux85Cn8an6Gp1ZMMTNlH333JqN8j/LKX2f1zkVmvQhyn+Zoz67e:mM0sCycf
                                                                          MD5:B47E8D8680D6F8714DC98B33EB4B8005
                                                                          SHA1:E2604D7C7DE4E41C645EE66613414FF1EBAED7F9
                                                                          SHA-256:3E561475ADCAE198C9B1D1C633C9C38F2CCFC63AAFE603D62102A5AC5460B894
                                                                          SHA-512:47A07187C86874A8E178F6DBD50B57CC4F0AAEE9616455A8A494786BEF0B2E845AA1C59DFC622D61A6DB72D0C641473A089834A63AFECCC3CF0018875C3AC724
                                                                          Malicious:true
                                                                          Preview:.... .c.....e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R....k.........R..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
                                                                          Category:dropped
                                                                          Size (bytes):294912
                                                                          Entropy (8bit):0.15197124999372147
                                                                          Encrypted:false
                                                                          SSDEEP:192:dva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vYun:d1zkVmvQhyn+Zoz67tun
                                                                          MD5:3BE352A3BA65286BBAEABBB0116DC81D
                                                                          SHA1:B6C291A88A92E761A61083911A71BA851A2092EE
                                                                          SHA-256:21EA41EB8548E3EB9D17D85205A769E5E2C864167FDCF8AE798C4750761E3A53
                                                                          SHA-512:DA966B72CDA576EFBB72D0E8EE5490FE5BCB09577C8338E29872AAFF5863F6F380611EAD445736491F043D6178408CFDB42690281717D08CE4D1137DCE0F8797
                                                                          Malicious:true
                                                                          Preview:SQLite format 3......@ .........................................................................-.......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):98840
                                                                          Entropy (8bit):0.22706952742998673
                                                                          Encrypted:false
                                                                          SSDEEP:192:7Jeiva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vt:7Jei1zkVmvQhyn+Zoz67o
                                                                          MD5:9379A944887007EB4399A105D421E0B5
                                                                          SHA1:A269B398F1AD2E2BEBC402FA28A1D924D19731DE
                                                                          SHA-256:675387A561698F48B899CCB2869D49F86D7B0DFAE8C9230B490CDD14C37AD6CC
                                                                          SHA-512:A70C6C5DF1A89FF166E1D37C9AD7D9B3700DAB41EBADE60753D3CA918D005241EF492356A31DC3005579FA7CA205C98E73C92F12C13CC6B056C22DA3D70E3A8D
                                                                          Malicious:true
                                                                          Preview:.... .c.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):9558
                                                                          Entropy (8bit):5.509553558339033
                                                                          Encrypted:false
                                                                          SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4SW:PeegJUaJHEw9T
                                                                          MD5:6330EBA843B2080E3CA68510769DCEC1
                                                                          SHA1:B92D347111135234957E26A8FE01F8433ECF758C
                                                                          SHA-256:ECC10724DF27ED6183EFA5794E67D642D77A885CFED90A366896FC1965F4D810
                                                                          SHA-512:511A49821726A041BC474A43042FEA048ED2447DADD7E565732D7922DF0B27C6E2EDB6BD7A8D3E816E8E8860EAB64C2A754823C677800FA66903618D754606B8
                                                                          Malicious:true
                                                                          Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                          C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\5006_2.6.2.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2827776
                                                                          Entropy (8bit):6.508653659833048
                                                                          Encrypted:false
                                                                          SSDEEP:6144:8IACSAtjVdHp1vN82Yed05UEl8FV8V306IAThNgUOfN/wZuSSMGYtXU:PACBBp1aJedCFlv06I4NgTN4ZuSS4tX
                                                                          MD5:7BCC1F1DEB45BF58C7C559DFE3240E08
                                                                          SHA1:80837EE226B256F9E24FA64C9188C6F92D253835
                                                                          SHA-256:79E2537982C1AEDE2925F5083F916BEECAE23301E2E04F3DEF69E849DCB9AAD9
                                                                          SHA-512:9F05B597C0382AA4409E2AB9F3C38C8E67D499CDA891C89D981BC64BA97A986E779375BB0D974BD9E3E63B840FA41A677007C2643591F40C41628FE9DF89C592
                                                                          Malicious:true
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..............U.............................U#..............U#..........[.............9.......Q.............Rich............PE..L....Z.e......................).....Q`............@..........................p+...........@..................................Q............(..................P+.....p/..p...................<0......./..@............................................text............................... ..`.rdata..............................@..@.data...h....p.......Z..............@....gfids..t............^..............@..@.tls.................`..............@....rsrc.....(.......(..b..............@..@.reloc.......P+.......+.............@..B........................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\5006_2.6.2.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:dropped
                                                                          Size (bytes):16131606
                                                                          Entropy (8bit):7.980924133095628
                                                                          Encrypted:false
                                                                          SSDEEP:393216:muo7WoZ24T+6vdEuIkTx49pktdzjPsxKZEOOtIoTSOderB+:m7Wk29odk3H0dHjEHtIh8e4
                                                                          MD5:2F61BD2AC7DC2252AD5743093CEB09DC
                                                                          SHA1:B3CE0F074037B1E9513680516F6B1B0A87CE242B
                                                                          SHA-256:2A75269F9C3012561E1DB5CB7883BE6A0DA057EDC2F61A6AC7610C2079689635
                                                                          SHA-512:D723D8738350DBCDE2066B666CE0CF96E4F9FA088CCDA11B51241E876347A1288607BEFABBAD981C218BCFB1B1411F6234D242D0172B9EFE10F3FD19B7B63387
                                                                          Malicious:true
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.*....F..G.w.F.*....F..v..F...@..F.Rich.F.........PE..L......].................d...|......k2............@.......................................@.................................<........... ............................................................................................................text....b.......d.................. ..`.rdata..J............h..............@..@.data....U...........|..............@....ndata...................................rsrc... ...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Windows Provisioning\version.txt

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\5006_2.6.2.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):6
                                                                          Entropy (8bit):1.9182958340544893
                                                                          Encrypted:false
                                                                          SSDEEP:3:3jF:J
                                                                          MD5:DF4F0F1534FAA418D6185F67DAA63A7B
                                                                          SHA1:D1501DEAE95507919B30F2ADFA13EE822464CC92
                                                                          SHA-256:3CFDEC96C972680CABF7829616A54508CABCFC4FBF80AB160DCAD001322AF69F
                                                                          SHA-512:CF5493D53B591941C1123BF347DDDFC123196A94EB6B1685E32D37BF42FBBEAA8619AF5A6F73F0E1216951856C0C73D97F0DF221020EDC3F27E9CCCC424DEE62
                                                                          Malicious:false
                                                                          Preview:2.6.2

                                                                          C:\Windows\SysWOW64\Packet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):98040
                                                                          Entropy (8bit):6.127745728436191
                                                                          Encrypted:false
                                                                          SSDEEP:1536:zg6Z54QkC2wpk2c+ZCDHKklh74RTfIEtaYQ0:M6Z54ARcIxk4LIEtaYj
                                                                          MD5:86316BE34481C1ED5B792169312673FD
                                                                          SHA1:6CCDE3A8C76879E49B34E4ABB3B8DFAF7A9D77B5
                                                                          SHA-256:49656C178B17198470AD6906E9EE0865F16F01C1DBBF11C613B55A07246A7918
                                                                          SHA-512:3A6E77C39942B89F3F149E9527AB8A9EB39F55AC18A9DB3A3922DFB294BEB0760D10CA12BE0E3A3854FF7DABBE2DF18C52E3696874623A2A9C5DC74B29A860BC
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H...H...H...oe.Z...oe.j...oe.+......C...H...2...oe..L...oe..I...oe.I...oe..I...RichH...........PE..L...<.0Q...........!.........p......`Q..........................................................................................x....P..T............`.......`..d...................................X...@............................................text...:........................... ..`.rdata...+.......0..................@..@.data....,... ....... ..............@....rsrc...T....P.......0..............@..@.reloc..d....`... ...@..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoCrypto.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):143872
                                                                          Entropy (8bit):6.369995603809854
                                                                          Encrypted:false
                                                                          SSDEEP:3072:FjY8iLiuBSvvB5irGAB3YFOnzIfuKBNJrSmR:FjiLiuBSvp8au3YFOzuuKBNJrSmR
                                                                          MD5:359B243D01126EDFCE72FA17A6D17EF2
                                                                          SHA1:986209D7BE14AAD4C485A82BAF696F44060C744A
                                                                          SHA-256:B96218444F3AE1DBCCB75DC15FA71D558AB3D2BEA45B9BFE1A0AC5EA4BB21DAB
                                                                          SHA-512:7FE92B6CD5EAF210ADA8642FCF274B3C89B24E6D284D89191D8754D5043D950C97F78F7297553C3EE0E56C60D88223C1E2DCB67397259E9F0647F959DFA8A19B
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|..........................................................................................................Rich....................PE..L...\.Z...........!.....*...................@...............................p............@..............................R...........@.......................P.......V...............................W..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........ ......................@....gfids..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoFoundation.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1224704
                                                                          Entropy (8bit):6.619655547971226
                                                                          Encrypted:false
                                                                          SSDEEP:12288:hwDrxQ3/DeOaPFLxbLpugOgopp2pPgJY/Nom9XeKcmmriYn9UTn/m+GhhsQk3OTT:hwq3/KOohh+M5gQO9i/WHW3OTriG5
                                                                          MD5:7CA710161F0986625BDD223D6E8E37E0
                                                                          SHA1:FF29F5F454D7AF49C472C12CD03ED039B2833D4D
                                                                          SHA-256:8C32BD7E6F0B286C651AF387836718944A6CB2F28BAB0767255E0161B387CCC1
                                                                          SHA-512:CF21B9EC7B13156977A2B06845230CC5222E1F9FBBC2AA7A667DF6ECC60A2A6AE7A08B259F683F53A7C99AAA1B7BC4C1CA1B066E7E6ECB0AF069EA78234A1277
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JM...,.[.,.[.,.[.T.[.,.[5r.Z.,.[5r.Z.,.[5r.Z.,.[5r.Z.,.[,L.Z.,.[.,.[.,.[.r.Z.,.[.r.Z.,.[.r.Z.,.[.rr[.,.[.,.[.,.[.r.Z.,.[Rich.,.[........PE..L.....Z...........!.................<....................................................@......................... ................`.......................p......P...............................p...@............................................text...'........................... ..`.rdata...(.......*..................@..@.data....I.......:..................@....gfids..@....@......................@..@.tls.........P......................@....rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoJSON.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):186368
                                                                          Entropy (8bit):6.437052892190694
                                                                          Encrypted:false
                                                                          SSDEEP:3072:xzKRrdhg6Ie/0EjnStS5g22oqlTPcF6cgWoBcyfYZeoazOrTfbyWwCp:xuRjpIWutyTglrpmoBc/Ze7OrTfbDZ
                                                                          MD5:A6F591815772522ABB444C19CBCB8875
                                                                          SHA1:52D9280B30A399FDCC98CEA5907B4D6BD4B70E4B
                                                                          SHA-256:BBEBACA74FA8F7E5354AE9E6AD14485A73D67AFE4CAC8889F49C6257BAA0A5FA
                                                                          SHA-512:5C9A43B86CF476DC9C5D2953EB9B3522A9A1492C664CE7D73CAD19D9DAE80EBFE002BD8AA5FC41D063D810F7E0FA9B5BA37D4D54388E87BFED8042CD5CF2B85F
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>...>...>...7...4.....=.....+.....5.....:.....=......<...>........3.....?.....f.?.....?...Rich>...................PE..L...$.Z...........!.........................................................0............@......................... +..(J..Hu...................................!..`...................................@............................................text.............................. ..`.rdata..............................@..@.data...p...........................@....tls................................@....gfids..@...........................@..@.rsrc...............................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoNet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):745472
                                                                          Entropy (8bit):6.543320477943913
                                                                          Encrypted:false
                                                                          SSDEEP:12288:R0Spsa6b8Z42X9sIriWvfEKZWJlsusW2PTb:R0Spsa6bi9HvfEKZWJ/R2PX
                                                                          MD5:34271180589EC380E0C973E1EE2B6C7F
                                                                          SHA1:3962D796B5F431D72B5AB8FE4F107CA6CCD8E43B
                                                                          SHA-256:DA4A1875A3F25E2E94FD50BAC9FDB8CF60261167EE0F10E019C7C8CEEEC0D004
                                                                          SHA-512:49AD69EB42005EA17F32F3DDED310595F4922CF138E0989764541A63925F764549A2292A4A0BED641D7154E61B4AC5F73252F59D03600E26C4D3AC509CB97C0B
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y.....................................U......................U......U.......P.......U.......Rich............PE..L...4.Z...........!....."...V......j........@............................................@.........................P.......TT.......0.......................@.............................|....... ...@............@..D............................text....!.......".................. ..`.rdata...}...@...~...&..............@..@.data....H..........................@....gfids..8...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc......@......................@..B........................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoNetSSL.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):186368
                                                                          Entropy (8bit):6.373003244821189
                                                                          Encrypted:false
                                                                          SSDEEP:3072:7e9IlWW9P5jzQI+3O7WQAgaCjpAQT5uv:K+4UPVQI+3O7WQ3TT5uv
                                                                          MD5:41A34F51CAA20DCFDE91F433C12F5988
                                                                          SHA1:5403646C7FA87C0480FC81F8BF98444C2029DDFE
                                                                          SHA-256:FC9D294E070C50B3C2BD6BDE1A82E2A5DDF3F19B0374EFA29EEE2A4D6257D60A
                                                                          SHA-512:EEC4F96845E96BD9ED733C254862149706FEB37E5AD48439C50F78533512E410BA79DDCEDC925CADAC1D2E6B56BCDBEC531BDD23215610124D9CCC1E358D657F
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R..<..<..<......<...?..<...8...<...=...<...9...<.d.=...<...=...<..=..<.d.9..<.d.<..<.a....<.d.>..<.Rich.<.................PE..L.....Z...........!.....P...........1.......`............................... ............@............................. ... T...................................".. }..............................@}..@............`.. ............................text...VN.......P.................. ..`.rdata..pE...`...F...T..............@..@.data...............................@....gfids..@...........................@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoUtil.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):315392
                                                                          Entropy (8bit):6.468108074574678
                                                                          Encrypted:false
                                                                          SSDEEP:6144:hZiWbcnCy+zEQP5OQiuvRBC1lkVCH7rRj2SJrCoF4tKhjDMiFrt:XjboMA3ACB7N14tKhjDMwx
                                                                          MD5:821B8944BE225058CFA47863949E8330
                                                                          SHA1:70A40DBD359567E5AE0E40E209F696DAAAF1A2C8
                                                                          SHA-256:6E220A50FF97264B9DE695859F1FF6F46CA32A0118353014FAFCCCAAD1C873BB
                                                                          SHA-512:F155121B8DC5C1BAF04714A9AC7E4C77827462B23100AA55DB963898289D3B374B26BC57F7FD41532A0C59606FC0844AC16AAC948C394384FD7757DAB3CC23BD
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i..]-es.-es.-es.$...%es..;p..es..;v.;es..;w.&es..;r.)es..;r.+es...r.(es.-er..ds..;v.3es..;s.,es..;..,es..;q.,es.Rich-es.........................PE..L...).Z...........!.........H......u`.......................................0............@..........................2...........................................4..........................<...........@............................................text.............................. ..`.rdata..J...........................@..@.data...("...........v..............@....gfids..@...........................@..@.tls................................@....rsrc...............................@..@.reloc...4.......6..................@..B........................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\PocoXML.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):466432
                                                                          Entropy (8bit):6.591031773652152
                                                                          Encrypted:false
                                                                          SSDEEP:6144:WA58L7DdM7EcKnm+LG0wXuRytGKfvylZSeFe9G/HQXXb1nOFWmlwOsIMBZqlXyUm:D8nD27Am+LGvtGKfk0HYLh9USOZ
                                                                          MD5:14A58A611F68D7C6C6A43E869F4A7CA0
                                                                          SHA1:8795B5843F449839AC2EB35F2FB9F0BC4200A5E9
                                                                          SHA-256:8377C7C9D73EA0C6187ED8AE0D6E016A13CA7B76AEE9212D95E2F72E0E2408A9
                                                                          SHA-512:783DEBCFF351171A76142CF2AA49E18F3F15DFF68609F8E2C47C1A8702AC778FC9FDE0B5005AB50AE499D0EA57A5E24C65016F54A4D9C3F1EB4BDB66BA24643A
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t....G...G...G..G...G...F...G...F..G...F...G...F...Gk..F...G...F...G...Gv..Gk..F...Gk..F...Gk..F...Gn..G...Gk..F...GRich...G........................PE..L... .Z...........!.....T...................p...............................p............@.........................@!...................................... ..dH..@...............................`...@............p..4............................text....R.......T.................. ..`.rdata...i...p...j...X..............@..@.data...8...........................@....gfids..(...........................@..@.rsrc...............................@..@.reloc..dH... ...J..................@..B........................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\libcrypto.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2085888
                                                                          Entropy (8bit):6.275502958098816
                                                                          Encrypted:false
                                                                          SSDEEP:49152:nMIJjR0L3RYAzqxCQhScKFVvHeb0Q1CPwv3uQ2VXoyk:MIJyLySc0leV1CPwv3uQ2
                                                                          MD5:14F37CF1955FC31C6AB544B596CC07CA
                                                                          SHA1:EFA3B6A5C92CFCE32A1E4DBF2656F9BEBA4DD746
                                                                          SHA-256:82B38741E7F28D2C47D23B0D24BD414D58A488CACD50AD3C0F359E33FB4A369D
                                                                          SHA-512:F67833DFF8DC50D3959161259B1D0D96D9BD420EF9CBA37F50E1315E6A6E84D9BD2E0858ACDB1BE9C084B80E72FE694C6F164C173CF90A4C3EEB2874512DEC1B
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.Z ..4s..4s..4s..s..4s,.5r..4s,.7r..4s,.1r..4s,.0r..4s5.5r..4s..5s..4s..4s..4s..0rY.4s..4r..4s...s..4s..6r..4sRich..4s................PE..L......Z...........!.....N...................`...............................P ...........@.........................`n...-...5..@....p..............................`U..8............................U..@............0...............................text....M.......N.................. ..`.rdata...;...`...<...R..............@..@.data............X..................@....idata.......0......................@..@.gfids..%....P......................@..@.00cfg.......`......................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\libeay32.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1023488
                                                                          Entropy (8bit):6.829669925678923
                                                                          Encrypted:false
                                                                          SSDEEP:12288:kLOOiZOSffVbf1xO9QSq8dsTwd9xLAT6O6HBlp8oWt9V+NXaZpnNnU3dFXaizR9F:k+EZd9xLAVgBlCuzR9gopeKll0GV
                                                                          MD5:FD8BD6C382FF28D9E119BB0B16DEBF0E
                                                                          SHA1:C06DC43A50ED2101DFB18FC17DCEBE6F3122C6AB
                                                                          SHA-256:C09226191A49733293D12AF73300B3965438A15A5613E916A9138402812A76A7
                                                                          SHA-512:6BB444A5CA7D38F1209E1B51EAF1BBAF373FD840C962E31EB37AAB15DF3E2C0FAC20E0C46D205EE135FA03211B287BAEB85A25CA2A3F2DF7B200823D115257D4
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N......Z...Z...Z..YZ...Z..ZZ...Z..KZ...Z..\Z...Z...Z...Z..LZ...Z...Z...Z..]Z...Z..[Z...Z..^Z...ZRich...Z........PE..L...3k.T...........!......................... .......................................4...................................m...........0.......................@..........................................@............ ..x............................text............................... ..`.rdata....... ......................@..@.data...$...........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\libssl.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):375296
                                                                          Entropy (8bit):5.695333832967505
                                                                          Encrypted:false
                                                                          SSDEEP:6144:4Po/RYitktWHoX7zUMnyPvKpZG4AFuvkzrzDNmGpamA8ND7P46yLqiDoVnjSOOvy:9RYwktWIX7zUMnyPSTG4AFuczrzDNmYD
                                                                          MD5:3860A72B4BFC4722CC3AB8C05F27FCCE
                                                                          SHA1:8A1B0A2E6072995F0CE9BD087AB6EA35B3D1B338
                                                                          SHA-256:D6CD873E147A3FE816AE10F5A7AFD6BD17539102DA6FCC768CE17D388453513F
                                                                          SHA-512:B80FF4B4151A3D5DD625630751D9ABE034709B312C41E8D6253A4DAA43DBA494B400B2DEC7EECDCB24E527FDD1001FB721821EE94A9BAA5B2ED4466DE288D5D4
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q1a.5P..5P..5P..<(..=P......7P...0..7P......6P......>P......>P......6P..5P...Q.......P......4P......4P......4P..Rich5P..........................PE..L......Z...........!.........................0............................................@.........................@...c=...y...................................&......8...............................@............p...............................text............................... ..`.rdata.......0......................@..@.data...\C... ...>..................@....idata...=...p...>...B..............@..@.gfids..%...........................@..@.00cfg..............................@..@.rsrc...............................@..@.reloc...,..........................@..B................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\msvcr110.dll

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\5006_2.6.2.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):875472
                                                                          Entropy (8bit):6.9224404430053434
                                                                          Encrypted:false
                                                                          SSDEEP:12288:TmCyHcMpK7QdgD+9Tr8r3FmJciMgLFWkA8qTWu+FVlofpJCjNdr12iqwZeq:TmCyHNIQdTryVmCipIkqTWu+Fr
                                                                          MD5:4BA25D2CBE1587A841DCFB8C8C4A6EA6
                                                                          SHA1:52693D4B5E0B55A929099B680348C3932F2C3C62
                                                                          SHA-256:B30160E759115E24425B9BCDF606EF6EBCE4657487525EDE7F1AC40B90FF7E49
                                                                          SHA-512:82E86EC67A5C6CDDF2230872F66560F4B0C3E4C1BB672507BBB8446A8D6F62512CBD0475FE23B619DB3A67BB870F4F742761CF1F87D50DB7F14076F54006F6C6
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x._'<.1t<.1t<.1t<.0t..1t...t?.1t.+.t..1t.+.t].1t.+.t..1t.+.t..1t.+.t=.1t.+.t=.1t.+.t=.1tRich<.1t................PE..L......P.........."!.....`..........<........@...............................`......l9....@.........................`...........(........................=.......S..0n..8...........................0...@............................................text....^.......`.................. ..`.data....\...p...N...d..............@....idata..............................@....rsrc...............................@..@.reloc...S.......T..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\pthreadVC.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):53299
                                                                          Entropy (8bit):3.9943496203596918
                                                                          Encrypted:false
                                                                          SSDEEP:384:hSvfC8Vv0Vy7ojuq7GQcdWTc4zU+GFronD/yD5rBEe0kiH32Jp9AhOW:wt+TGQcdWYdMG59EeJiH3YzW
                                                                          MD5:F04A90F917BA10AE2DCBE859870F4DEA
                                                                          SHA1:6668EBE373CE58C33017697C477557653427E626
                                                                          SHA-256:99C61ABF41C3AEC38CAB3ED6270ADBCA9A247BBF5F9AA9D29ECB0659A5527F48
                                                                          SHA-512:AEC29301B9CE311B27F1590B0E0C4121ACDC183A30B570E087D77B7035684F02A6DFBDEE950C37F3023B32E2EA5A075A5FBE6D18A2804DA9490D4959733BB516
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EGi..&...&...&..c9...&...&..7&...9...&...9...&..Rich.&..........................PE..L.....g?...........!.....p...P.......d..............................................................................0...^.......P...............................T...................................................................................text...3f.......p.................. ..`.rdata........... ..................@..@.data...............................@....idata..4...........................@....reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\ssleay32.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):217600
                                                                          Entropy (8bit):6.502467400971621
                                                                          Encrypted:false
                                                                          SSDEEP:6144:T+MCLaMRv89FpK5sZ7kwvrH/rhqlq0/HqfkT7UALGicQpgo9u9/JTibcnd//N:TfCrvSpK5sZ7kwvrH/1qlq0/HqfkTDLO
                                                                          MD5:85CEB6B1F6EA475E80A068AC1EB2E1D7
                                                                          SHA1:9C0FFED6929AC584C9B6CDCADA7BE4C74FAE05E3
                                                                          SHA-256:43A4930DC3ED17989AF435C55952D6FFD39035840BBAADEB802F2741EEA92CB1
                                                                          SHA-512:E3DAB7ED298C9785CE72941ED93B1D7F1B89D2189878A40839B7088AB267A84CBC31CCA7EAACACB3F9ADE0C59C2899BC0E30B8E37D094DB1FECC79546E30D86E
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;K..hK..hK..hB.|hO..hB.mhI..hB.zhL..hK..h...hB.jhp..hB.{hJ..hB.}hJ..hB.xhJ..hRichK..h........PE..L...@k.T...........!.....z...........................................................O..................................A.......P....P.......................`......................................8...@...............D............................text....x.......z.................. ..`.rdata..............~..............@..@.data....(... ...&..................@....rsrc........P.......*..............@..@.reloc.......`... ...2..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\SysWOW64\wpcap.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):282360
                                                                          Entropy (8bit):6.604477037348888
                                                                          Encrypted:false
                                                                          SSDEEP:6144:E4yIm5rC9WNWwKcNBSCiLvK8+jKgZBwIbg2:jyIm59WwpqCuEKIwv2
                                                                          MD5:4633B298D57014627831CCAC89A2C50B
                                                                          SHA1:E5F449766722C5C25FA02B065D22A854B6A32A5B
                                                                          SHA-256:B967E4DCE952F9232592E4C1753516081438702A53424005642700522055DBC9
                                                                          SHA-512:29590FA5F72E6A36F2B72FC2A2CCA35EE41554E13C9995198E740608975621142395D4B2E057DB4314EDF95520FD32AAE8DB066444D8D8DB0FD06C391111C6D3
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%I+&a(Eua(Eua(Eu..;uc(EuF.8uv(EuF.+uC(EuF.(u.(EuF.>uc(Eua(Du.(Eu.'.ud(EuF.4ut(EuF.?u`(EuF.9u`(EuF.=u`(EuRicha(Eu........................PE..L.....0Q...........!................z...............................................8_.............................. ...........P....................0..........8&..p...................................@...............,............................text....z.......................... ..`.rdata..=7.......@..................@..@.data...!........ ..................@....rsrc...............................@..@.reloc..p........0..................@..B................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\System32\Packet.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):107768
                                                                          Entropy (8bit):6.207807273671645
                                                                          Encrypted:false
                                                                          SSDEEP:3072:xpMSqNrAF/ln2800b4U7kByZo6Fsl1LOb:xpMSq0/AN0EG4yZ/
                                                                          MD5:899A5BF1669610CDB78D322AC8D9358B
                                                                          SHA1:80A2E420B99FFE294A523C6C6D87ED09DFC8D82B
                                                                          SHA-256:AB3CCE674F5216895FD26A073771F82B05D4C8B214A89F0F288A59774A06B14B
                                                                          SHA-512:41F2459793AC04E433D8471780E770417AFAC499DC3C5413877D4A4499656C9669C069D24E638D0AAF43AF178A763ACB656FFD34D710EB5E3C94682DB1559056
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.......5.......5.....n..............5.......5.......5.......5......Rich....................PE..d.....0Q.........." .........t...... l..............................................r................................................\.......P..x.......T.......\....................$............................................... ...............................text...>........................... ..`.rdata...@... ...B..................@..@.data...(7...p.......T..............@....pdata..\............j..............@..@.rsrc...T............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                          C:\Windows\System32\drivers\npf.sys

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):36600
                                                                          Entropy (8bit):6.293365115285525
                                                                          Encrypted:false
                                                                          SSDEEP:768:VVRRdUlDRJuOfUhk8ZX2ZeRY4soGLeTZ8wwfKRw:VVRsZREOfUhNK96TZ8wwi6
                                                                          MD5:DE7FCC77F4A503AF4CA6A47D49B3713D
                                                                          SHA1:8206E2D8374F5E7BF626E47D56D2431EDC939652
                                                                          SHA-256:4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6
                                                                          SHA-512:FDACE7EE2593FFE5724DB32F4BE62BB13AA1EC89E1E01C713D8C1E9891A5A0975D127450024C3388A987A35E546568ECDBCC60C185DC8F8B08CCEF67A084B20D
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}i.}i.}i.}h..}i...}i...}i...}i...}i...}i...}i.Rich.}i.................PE..d.....0Q.........."......V..........................................................9q......................................................d...P....................p...............a...............................................`...............................text....M.......N.................. ..h.rdata.......`.......R..............@..H.data...4....p.......X..............@....pdata...............^..............@..HINIT.................`.............. ....rsrc................h..............@..B.reloc..<............n..............@..B........................................................................................................................................................................................................................................

                                                                          C:\Windows\System32\wpcap.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):370424
                                                                          Entropy (8bit):6.481542014421452
                                                                          Encrypted:false
                                                                          SSDEEP:6144:pH+VjFreKE0V/NGvaX86tWBXZkbTe/CtjgZBwIV8g/wNmJ4eXk:pH+VBeT0V/NBX8k2YTe/QIwIs8k
                                                                          MD5:A672F1CF00FA5AC3F4F59577F77D8C86
                                                                          SHA1:B68E64401D91C75CAFA810086A35CD0838C61A4B
                                                                          SHA-256:35AAB6CAAAF1720A4D888AE0DE9E2A8E19604F3EA0E4DD882C3EEAE4F39AF117
                                                                          SHA-512:A566E7571437BE765279C915DD6E13F72203EFF0DC3838A154FC137ED828E05644D650FD8432D1FB4C1E1D84EE00EF9BDE90225C68C3CA8A5DA349065E7EBFD6
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5...[...[...[.e.%...[...&...[...5...[...6..[... ...[...Z.d.[.U ...[...*...[...!...[...'...[...#...[.Rich..[.........................PE..d.....0Q.........." ................p........................................P......................................................P4.......'..P....0...........'...........@..X.......................................................X............................text............................... ..`.rdata..mm.......n..................@..@.data........@...&...,..............@....pdata...'.......(...R..............@..@.rsrc........0.......z..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Entropy (8bit):7.997137455203288
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:5006_2.6.2.exe
                                                                          File size:17'131'434 bytes
                                                                          MD5:8541da559ecb090cd768bc6f3173ffc4
                                                                          SHA1:35c33bb61dcc017903a07ba70d69885c67fee39a
                                                                          SHA256:fbe8bba07f8b3c2307339d5aff885e46f8a14a251af04fc0455943c72b8c3ef6
                                                                          SHA512:4c189317d209082138b83b7e24d33ddaeae4625e9f28e323e8ea42ea680b15e42dd1bb51703be43c9d7a613a9163b717575cf4e4c96259daee7f6fbcc984b32c
                                                                          SSDEEP:393216:C9C85yn4CoUE4Px5h2SUzyIZzZahMbhE+0O1X0iCB5:pSc9xEw29+IZ4MbhP4h
                                                                          TLSH:D407339EFA45F83AD85175F42029B91D30626C8C79BC571AA13834277A3EB43DE2F25C
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................d...|......k2............@

                                                                          File Icon

                                                                          Icon Hash:0f33797d6d793307

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40326b
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x5DF6D4F0 [Mon Dec 16 00:50:56 2019 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:e9c0657252137ac61c1eeeba4c021000

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          sub esp, 00000184h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          xor ebx, ebx
                                                                          push 00008001h
                                                                          mov dword ptr [esp+18h], ebx
                                                                          mov dword ptr [esp+10h], 0040A198h
                                                                          mov dword ptr [esp+20h], ebx
                                                                          mov byte ptr [esp+14h], 00000020h
                                                                          call dword ptr [004080A0h]
                                                                          call dword ptr [0040809Ch]
                                                                          and eax, BFFFFFFFh
                                                                          cmp ax, 00000006h
                                                                          mov dword ptr [0042F40Ch], eax
                                                                          je 00007F85A8B04A83h
                                                                          push ebx
                                                                          call 00007F85A8B07B6Bh
                                                                          cmp eax, ebx
                                                                          je 00007F85A8B04A79h
                                                                          push 00000C00h
                                                                          call eax
                                                                          mov esi, 00408298h
                                                                          push esi
                                                                          call 00007F85A8B07AE7h
                                                                          push esi
                                                                          call dword ptr [00408098h]
                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                          cmp byte ptr [esi], bl
                                                                          jne 00007F85A8B04A5Dh
                                                                          push 0000000Ah
                                                                          call 00007F85A8B07B3Fh
                                                                          push 00000008h
                                                                          call 00007F85A8B07B38h
                                                                          push 00000006h
                                                                          mov dword ptr [0042F404h], eax
                                                                          call 00007F85A8B07B2Ch
                                                                          cmp eax, ebx
                                                                          je 00007F85A8B04A81h
                                                                          push 0000001Eh
                                                                          call eax
                                                                          test eax, eax
                                                                          je 00007F85A8B04A79h
                                                                          or byte ptr [0042F40Fh], 00000040h
                                                                          push ebp
                                                                          call dword ptr [00408040h]
                                                                          push ebx
                                                                          call dword ptr [00408284h]
                                                                          mov dword ptr [0042F4D8h], eax
                                                                          push ebx
                                                                          lea eax, dword ptr [esp+38h]
                                                                          push 00000160h
                                                                          push eax
                                                                          push ebx
                                                                          push 00429830h
                                                                          call dword ptr [00408178h]
                                                                          push 0040A188h

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x19520.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x62ff0x6400c3db412a38f3960c44c292549b21be26False0.672421875data6.457821426487787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x80000x134a0x1400ff2238780ac4c7099d13c72f0663eda0False0.459765625data5.238921057104071IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xa0000x255180x60040b80ca9c843c54385c408bd5f31c6f1False0.4557291666666667data4.049203760121162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .ndata0x300000xe0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x3e0000x195200x19600f0768d095d4f458d3e47709ec6528e7cFalse0.3665236299261084data5.943400539589614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x3e2e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3400567845735242
                                                                          RT_ICON0x4eb080x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.43351440717997164
                                                                          RT_ICON0x52d300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.475207468879668
                                                                          RT_ICON0x552d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.551594746716698
                                                                          RT_ICON0x563800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6932624113475178
                                                                          RT_ICON0x567e80x2e8dataEnglishUnited States0.020161290322580645
                                                                          RT_ICON0x56ad00x128dataEnglishUnited States0.04391891891891892
                                                                          RT_DIALOG0x56bf80x202dataEnglishUnited States0.4085603112840467
                                                                          RT_DIALOG0x56e000xf8dataEnglishUnited States0.6290322580645161
                                                                          RT_DIALOG0x56ef80xa0dataEnglishUnited States0.60625
                                                                          RT_DIALOG0x56f980xeedataEnglishUnited States0.6260504201680672
                                                                          RT_GROUP_ICON0x570880x68dataEnglishUnited States0.5961538461538461
                                                                          RT_MANIFEST0x570f00x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                          USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                          GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                          SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                          ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 20, 2024 11:50:19.385669947 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:19.385720968 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:19.385802984 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:19.386604071 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:19.386616945 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.310662985 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.310750008 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.312697887 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.312707901 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.312954903 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.313304901 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.360233068 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.579301119 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.579344988 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.580020905 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.580317020 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.580327988 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.632229090 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.632255077 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.632313013 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:20.632337093 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:20.632411957 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:21.190452099 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.190596104 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:21.191611052 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:21.191618919 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.191858053 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.192524910 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:21.236238956 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.839823961 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.839852095 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.839912891 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:21.839946985 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:21.839993954 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.647998095 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.648035049 CET44349712119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:30.648051023 CET49712443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.648994923 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.649074078 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:30.649171114 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.649955988 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:30.649983883 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.260037899 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.260154963 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.261125088 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.261157990 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.261471033 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.261694908 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.304255962 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.850991011 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.851030111 CET44349713119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.851044893 CET49713443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.852396965 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.852440119 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.852516890 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.852818966 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.852838039 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.906388044 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.906413078 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.906466007 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:31.906487942 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:31.906516075 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:32.464788914 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:32.464899063 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:32.465809107 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:32.465816975 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:32.466155052 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:32.466418982 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:32.508239031 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:33.109750986 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:33.109786987 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:33.109864950 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:33.109935999 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:33.109992981 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.897989035 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.897989988 CET49714443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.898046970 CET44349714119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:41.899281025 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.899303913 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:41.899414062 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.913599968 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:41.913614988 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:42.520705938 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:42.520953894 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:42.521822929 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:42.521830082 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:42.522059917 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:42.522521973 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:42.564238071 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.101064920 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.101064920 CET49715443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.101097107 CET44349715119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.102267027 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.102293015 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.102387905 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.102533102 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.102549076 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.167388916 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.167421103 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.167495012 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.167634964 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.167634964 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.710072041 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.710267067 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.711172104 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.711178064 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.711400986 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:43.711767912 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:43.756246090 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:44.354978085 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:44.355015039 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:44.355079889 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:44.355221033 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.179461002 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.179482937 CET44349716119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.179491043 CET49716443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.180936098 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.180975914 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.181070089 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.181235075 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.181251049 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.789472103 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.789546967 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.790797949 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.790807962 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.791035891 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:53.791430950 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:53.836250067 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.366533995 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.366558075 CET44349717119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.366571903 CET49717443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.367803097 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.367837906 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.367913961 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.382184982 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.382200956 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.433679104 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.433697939 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.433759928 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.433815002 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.433867931 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.990598917 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.990695000 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.991600037 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:54.991611004 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.991842985 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:54.992242098 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:55.040235996 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:55.637170076 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:55.637202978 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:55.637278080 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:50:55.637340069 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:50:55.637412071 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.460452080 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.460452080 CET49719443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.460475922 CET44349719119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:04.462748051 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.462796926 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:04.462884903 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.475931883 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:04.475950003 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.083621025 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.083802938 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.084804058 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.084814072 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.085041046 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.085649014 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.132260084 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.647793055 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.647836924 CET44349720119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.647852898 CET49720443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.648958921 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.648988008 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.649096012 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.663423061 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:05.663436890 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.728966951 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.728990078 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.729051113 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:05.729217052 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.274643898 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.274926901 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.276065111 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.276072979 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.276319027 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.276546001 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.324238062 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.918884039 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.918952942 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.919022083 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.919048071 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.919091940 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:06.919097900 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:06.919151068 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.726035118 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.726083994 CET44349721119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:15.726165056 CET49721443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.727447987 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.727494955 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:15.727591038 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.741544008 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:15.741561890 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.350111008 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.350327969 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.351367950 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.351385117 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.351618052 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.351881981 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.392251015 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.913639069 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.913677931 CET44349722119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.913696051 CET49722443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.915707111 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.915738106 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.915808916 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.916109085 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.916120052 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.996542931 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.996573925 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.996644020 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:16.996680975 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:16.996721029 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:17.530915976 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:17.531136990 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:17.532052040 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:17.532059908 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:17.532849073 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:17.533072948 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:17.580255032 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:18.172177076 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:18.172262907 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:18.172429085 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:18.172496080 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:18.172523975 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.007282972 CET49723443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.007311106 CET44349723119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.008923054 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.008956909 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.009020090 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.009182930 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.009197950 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.616730928 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.616811037 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.618357897 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.618367910 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.618624926 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:27.618866920 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:27.664239883 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.179049015 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.179090023 CET44349725119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.179110050 CET49725443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.180336952 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.180367947 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.182182074 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.194696903 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.194713116 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.260389090 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.260416985 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.260485888 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.260493040 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.260531902 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.809556007 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.809719086 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.810621977 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.810630083 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.811395884 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:28.811788082 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:28.856235027 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:29.452537060 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:29.452598095 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:29.452667952 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:29.452693939 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:29.452739000 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:29.452748060 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:29.452797890 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.272799015 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.272823095 CET44349726119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.272840977 CET49726443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.274187088 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.274230957 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.274312019 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.288342953 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.288360119 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.896816015 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.897007942 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.897905111 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.897919893 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.898149967 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:38.898392916 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:38.944236994 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.444782019 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.444807053 CET44349727119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.444866896 CET49727443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.446794033 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.446832895 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.446898937 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.447077036 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.447084904 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.541471004 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.541498899 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.541574955 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:39.541624069 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:39.541714907 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.060910940 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.061032057 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.062011003 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.062020063 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.062889099 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.063114882 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.108225107 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.701478958 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.701554060 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.701630116 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.701654911 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.701694012 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:40.701715946 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:40.701759100 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.538384914 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.538464069 CET44349728119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:49.538506031 CET49728443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.539741039 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.539849043 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:49.539969921 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.540115118 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:49.540139914 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.150010109 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.150162935 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.151084900 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.151101112 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.151463032 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.151684999 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.192253113 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.710243940 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.710285902 CET44349729119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.710300922 CET49729443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.723283052 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.723342896 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.723422050 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.723608017 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.723623037 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.795722961 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.795756102 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.795814991 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:50.795825958 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:50.795869112 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:51.334142923 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.334271908 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:51.548336983 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:51.548382998 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.548747063 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.550304890 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:51.592277050 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.978844881 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.978912115 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.979027033 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:51:51.979051113 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.979069948 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:51:51.979137897 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.788587093 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.788619041 CET44349730119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:00.788631916 CET49730443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.789629936 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.789668083 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:00.791383028 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.804152966 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:00.804168940 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.411232948 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.411403894 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.412463903 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.412471056 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.412889004 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.413398027 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.460242033 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.991503000 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.991530895 CET44349731119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.991563082 CET49731443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.992835045 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:01.992871046 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:01.992944956 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.007071018 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.007087946 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.055027008 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.055051088 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.055125952 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.055131912 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.055175066 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.624116898 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.624203920 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.625041008 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.625049114 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.625807047 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:02.626024961 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:02.672224998 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:03.264828920 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:03.264950991 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:03.265028000 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:03.265049934 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:03.265119076 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:03.265171051 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.069554090 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.069578886 CET44349732119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.069593906 CET49732443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.070939064 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.070972919 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.071052074 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.085323095 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.085340023 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.694996119 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.695081949 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.695941925 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.695951939 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.696202993 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:12.696415901 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:12.744246960 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.272687912 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.272717953 CET44349733119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.272731066 CET49733443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.273947001 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.273984909 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.274076939 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.274266958 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.274282932 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.341487885 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.341515064 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.341592073 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.341609001 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.341641903 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.890491009 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.890624046 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.891484976 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.891494989 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.892471075 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:13.896416903 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:13.944236040 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:14.530359030 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:14.530385017 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:14.530469894 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:14.530476093 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:14.530524969 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.350847960 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.350882053 CET44349734119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.350898027 CET49734443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.352191925 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.352236986 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.352318048 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.352597952 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.352611065 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.964847088 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.964927912 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.965702057 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:23.965713024 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.965940952 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:23.966150999 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.012233019 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.526434898 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.526460886 CET44349735119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.526488066 CET49735443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.527576923 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.527667999 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.527765036 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.527899027 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.527936935 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.610532045 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.610559940 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.610676050 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:24.610686064 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:24.610735893 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.136414051 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.136490107 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.137648106 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.137655020 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.137897015 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.138154984 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.184228897 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.782047033 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.782128096 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.782207966 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.782226086 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.782269001 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:25.782291889 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:25.782335997 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.600903034 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.600903034 CET49736443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.600931883 CET44349736119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:34.602149963 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.602205992 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:34.602288961 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.616425037 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:34.616439104 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.227178097 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.227271080 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.228137970 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.228147984 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.228389025 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.228598118 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.276228905 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.788490057 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.788491011 CET49737443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.788531065 CET44349737119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.799665928 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.799726009 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.799801111 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.804030895 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.804055929 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.874821901 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.874850988 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.874916077 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:35.874970913 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:35.874998093 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:36.422199965 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:36.422440052 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:36.423607111 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:36.423618078 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:36.423939943 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:36.424237013 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:36.468281031 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:37.064333916 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:37.064395905 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:37.064536095 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:37.064584017 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:37.065399885 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.911480904 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.911523104 CET44349738119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:45.911539078 CET49738443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.923197985 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.923235893 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:45.923327923 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.923584938 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:45.923609018 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:46.534364939 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:46.534609079 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:46.535451889 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:46.535464048 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:46.535768032 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:46.535995960 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:46.580231905 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.069597006 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.069639921 CET44349739119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.069658041 CET49739443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.071233034 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.071260929 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.071348906 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.085475922 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.085498095 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.181560993 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.181588888 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.181673050 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.181720972 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.181888103 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.707799911 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.707971096 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.708839893 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.708861113 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.709774017 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:47.710011959 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:47.756247044 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:48.353750944 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:48.353831053 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:48.353905916 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:48.353936911 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:48.353975058 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:48.353981972 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:48.354033947 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.194613934 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.194644928 CET44349740119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.194659948 CET49740443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.196212053 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.196254015 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.196337938 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.210187912 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.210205078 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.823124886 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.823239088 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.824079037 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.824089050 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.824343920 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:57.824701071 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:57.868247986 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.366451979 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.366478920 CET44349741119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.366499901 CET49741443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.367995977 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.368031979 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.368119955 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.382077932 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.382093906 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.481936932 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.481961012 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.482019901 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.482045889 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.482084036 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:58.999452114 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:58.999649048 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:59.000499964 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:59.000509024 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.001327038 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.001571894 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:59.044240952 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.642159939 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.642183065 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.642252922 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:52:59.642400980 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:52:59.642400980 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.491394997 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.491415977 CET44349742119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:08.491430044 CET49742443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.492786884 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.492815971 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:08.492883921 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.507091045 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:08.507102966 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.120800018 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.120879889 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.122006893 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.122015953 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.122214079 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.122425079 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.164254904 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.647711039 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.647736073 CET44349743119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.647770882 CET49743443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.649060011 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.649142027 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.649239063 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.663254023 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.663306952 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.767899036 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.767920017 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.767975092 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.767986059 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.767997026 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:09.768027067 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:09.768052101 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.280472994 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.280625105 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.281745911 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.281760931 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.282527924 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.282788992 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.328259945 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.922415972 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.922475100 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.922545910 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.922570944 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.922605991 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:10.922616959 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:10.922657013 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.772664070 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.772687912 CET44349744119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:19.772708893 CET49744443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.774255037 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.774290085 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:19.774378061 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.788253069 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:19.788266897 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.397686005 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.397816896 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.399204016 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.399211884 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.399528027 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.399800062 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.440243959 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.928945065 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.929038048 CET44349745119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.929081917 CET49745443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.930342913 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.930383921 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:20.930474997 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.944622040 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:20.944641113 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.043958902 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.043982029 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.044054031 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.044111013 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:21.044152975 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:21.563307047 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.563412905 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:21.564292908 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:21.564301014 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.564547062 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:21.564771891 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:21.608238935 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:22.204651117 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:22.204711914 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:22.204777956 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:22.204798937 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:22.204848051 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:22.204849005 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:22.204899073 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.038256884 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.038296938 CET44349746119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.038316011 CET49746443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.039602995 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.039627075 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.039700985 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.053868055 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.053884983 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.660942078 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.661025047 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.661994934 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.662003040 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.662216902 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:31.662437916 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:31.704236984 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.210160971 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.210191965 CET44349747119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.210206985 CET49747443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.211589098 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.211622000 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.211721897 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.211920977 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.211935043 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.305608034 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.305629969 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.305682898 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.305702925 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.305748940 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.829664946 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.829862118 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.830626011 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.830635071 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.831407070 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:32.831619978 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:32.872237921 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:33.474406004 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:33.474461079 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:33.474598885 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:33.474620104 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:33.474698067 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.303874969 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.303901911 CET44349748119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.303915024 CET49748443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.310139894 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.310197115 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.310286999 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.310415030 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.310431004 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.922291994 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.922359943 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.923229933 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.923238993 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.923484087 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:42.923887014 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:42.968240023 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.491626978 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.491653919 CET44349749119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.491728067 CET49749443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.493046999 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.493077993 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.493158102 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.493288040 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.493299961 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.567599058 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.567656040 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.567728996 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:43.567753077 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:43.567797899 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:44.110270977 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.112317085 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:44.113198996 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:44.113209009 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.113535881 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.113790989 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:44.156244040 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.751249075 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.751328945 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.751465082 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:44.751467943 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:44.751524925 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.772613049 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.772644997 CET44349750119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:53.772658110 CET49750443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.773767948 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.773803949 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:53.773931980 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.774014950 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:53.774023056 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.386786938 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.386895895 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.387964010 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.387979984 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.388806105 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.390136003 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.432240963 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.757128000 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.757128000 CET49751443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.757153988 CET44349751119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.758286953 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.758378029 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:54.758466005 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.772773027 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:54.772809029 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.033648968 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.033715963 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.033787966 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.033799887 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.033889055 CET44349752119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.033914089 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.033961058 CET49752443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.389764071 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.389976978 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.390716076 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.390738010 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.391530991 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:55.391773939 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:55.436228037 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:56.031580925 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:56.031646013 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:56.031728029 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:56.031760931 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:56.031821012 CET49753443192.168.2.5119.8.47.97
                                                                          Mar 20, 2024 11:53:56.031836033 CET44349753119.8.47.97192.168.2.5
                                                                          Mar 20, 2024 11:53:56.031893015 CET49753443192.168.2.5119.8.47.97

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 20, 2024 11:50:19.213615894 CET6388353192.168.2.51.1.1.1
                                                                          Mar 20, 2024 11:50:19.380253077 CET53638831.1.1.1192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Mar 20, 2024 11:50:19.213615894 CET192.168.2.51.1.1.10xbb92Standard query (0)push.mobilefonex.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Mar 20, 2024 11:50:19.380253077 CET1.1.1.1192.168.2.50xbb92No error (0)push.mobilefonex.com119.8.47.97A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • push.mobilefonex.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549712119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:20 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: nBGeczvijzupKaYAUSH4RA==
                                                                          2024-03-20 10:50:20 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=Awh69j0a0gWyINdFbR_6G--MonHLqfp5K-pzQ0eo.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:20 GMT
                                                                          2024-03-20 10:50:20 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.549713119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:21 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: VZePNLUYezwqL5AtQJhrXg==
                                                                          2024-03-20 10:50:21 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=r7T_4gFDHPjltgWJbAV7Jlmt2z61OhM559usnbP9.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:21 GMT
                                                                          2024-03-20 10:50:21 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.549714119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:31 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: K06wdEYcvgB+fcNv0a6mOQ==
                                                                          2024-03-20 10:50:31 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=eHBT9srfdQyc9Pm9M858rJ8lxMXNVx7_oO4ix-j9.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:31 GMT
                                                                          2024-03-20 10:50:31 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.549715119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:32 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: d3uAPPyZNgZMaYsxjzOdHQ==
                                                                          2024-03-20 10:50:33 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=He5Q0uAvteK_7G7xdmenvqyvoEo44QnhaBoZfysW.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:32 GMT
                                                                          2024-03-20 10:50:33 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.549716119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:42 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: 46xSSJDLTXcqnjdLJO/7FQ==
                                                                          2024-03-20 10:50:43 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=2XFKzB69b_CZuEb-NX9CPnQDIr5r66koTemeSTql.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:43 GMT
                                                                          2024-03-20 10:50:43 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.549717119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:43 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: RVKJB9qTozfjyIZpU2jteA==
                                                                          2024-03-20 10:50:44 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=XlNvWntUi-dUZqBUP06lNdFsNelAxGscP2FTn3wm.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:44 GMT
                                                                          2024-03-20 10:50:44 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.549719119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:53 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: gU9dZVRrU0S384gBzBZzJQ==
                                                                          2024-03-20 10:50:54 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=zTPBzC_8fukEGMHGCj42ECkiINzw349LEkTM0hSj.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:54 GMT
                                                                          2024-03-20 10:50:54 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.549720119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:50:54 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: D7WQUDGO1FMmNFlXiHEsfw==
                                                                          2024-03-20 10:50:55 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=LgwN2Je50ur2nXBVgAXpGFWRSx2cZRuqtdkx5LrU.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:50:55 GMT
                                                                          2024-03-20 10:50:55 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.549721119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:05 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: EGL7SsaWqH3VO95A5yYQDw==
                                                                          2024-03-20 10:51:05 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=1O60i0BwDR2Zhflyi9c9-JKOpKiKTk_920U0DiO_.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:05 GMT
                                                                          2024-03-20 10:51:05 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.549722119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:06 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: oY4aLcRoOTHFmKQvdTb6Ew==
                                                                          2024-03-20 10:51:06 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=4TDJmb7K-S7jcpkGnQfWiGDYza9p0iU28RxQHMXX.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:06 GMT
                                                                          2024-03-20 10:51:06 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.549723119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:16 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: axusKlgQIQCd1L1tHavMSg==
                                                                          2024-03-20 10:51:16 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=_d9S70Zm3r9LykEMK50vu6oA6qUqNAA6nihQ36VY.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:16 GMT
                                                                          2024-03-20 10:51:16 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.549725119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:17 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: zRffd4tou1bFsuBcvjgGSg==
                                                                          2024-03-20 10:51:18 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=h2kNAnReZCnOsr2OCn9uAeJCXPyKFbW5RvrOmFIU.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:18 GMT
                                                                          2024-03-20 10:51:18 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.549726119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:27 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: GpQWHSA2bQg5Tth8GFqfeA==
                                                                          2024-03-20 10:51:28 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=ZJ7wmrHrHmgpFu9BLDoAaswsaGeDtLSI8IRqXIdT.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:28 GMT
                                                                          2024-03-20 10:51:28 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.549727119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:28 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: KviYWWfoRxp63PoxyhdeWg==
                                                                          2024-03-20 10:51:29 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=-hAyR51dFOm8W7ls703FnutR4diflR77qIo6Xz5_.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:29 GMT
                                                                          2024-03-20 10:51:29 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.549728119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:38 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: tQ9ERyidHSiMxwJwv5aubA==
                                                                          2024-03-20 10:51:39 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=R-ztyXvyEJt2VX5MXX1gmFbAhaLwZfr3kTenrg9x.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:39 GMT
                                                                          2024-03-20 10:51:39 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          15192.168.2.549729119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:40 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: xDA8Tf3dtThMnYE/Wy9yRg==
                                                                          2024-03-20 10:51:40 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=DMDGbXYyLc3WTA13OqzAImRU2xUh99mPEARjksxa.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:40 GMT
                                                                          2024-03-20 10:51:40 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          16192.168.2.549730119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:50 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: +nx2ZhhyzmmBVlYjWtO3Dg==
                                                                          2024-03-20 10:51:50 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=GqeCqmqhnC5zQ13zhDos4TP1Xw-ZtpxgMY5QVnJK.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:50 GMT
                                                                          2024-03-20 10:51:50 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          17192.168.2.549731119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:51:51 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: 2VQ5IS4IEXxEq1ILCPHLdA==
                                                                          2024-03-20 10:51:51 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=VkIbzNp351gR5Op1rvPdjD-kU7TEfhK7Jze0fgYx.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:51:51 GMT
                                                                          2024-03-20 10:51:51 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          18192.168.2.549732119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:01 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: AKX0GlLjTUnejKRQwtQCPw==
                                                                          2024-03-20 10:52:02 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=EbNdTx8fE11zKRLVGpI8reIfgGT-WNUTa8EiR7ME.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:01 GMT
                                                                          2024-03-20 10:52:02 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          19192.168.2.549733119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:02 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: FW8RC3SavSmzTKt7Ct3dJA==
                                                                          2024-03-20 10:52:03 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=X0K_TaIBNwk1wOweSUMtlLEETBvDyvoApQMiA30e.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:03 GMT
                                                                          2024-03-20 10:52:03 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          20192.168.2.549734119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:12 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: bA8rED+SgjX6Uolww2uuDQ==
                                                                          2024-03-20 10:52:13 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=-CfOgxqJbXPRJdcoIRTSAnuqWV5_Fykzy-ucvWn8.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:13 GMT
                                                                          2024-03-20 10:52:13 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          21192.168.2.549735119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:13 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: M/0dZgAmK2bbc4EhfjMHEA==
                                                                          2024-03-20 10:52:14 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=mHQaA8kPwDU2m5gdlGv0wcT-tXfqaeQfKLNO3xhi.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:14 GMT
                                                                          2024-03-20 10:52:14 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          22192.168.2.549736119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:23 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: qzPdUq9BpTNFaSdmFqlGJA==
                                                                          2024-03-20 10:52:24 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=uslfB3AMYNANth7bdOTJCjvpTc8mlaxAHEQUjvsP.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:24 GMT
                                                                          2024-03-20 10:52:24 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          23192.168.2.549737119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:25 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: 45j3WK3v00YIQtxIR4wVAQ==
                                                                          2024-03-20 10:52:25 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=NFGIcelJxMld96LkFfEn_hBPUsI-Z_JNSd9lPns-.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:25 GMT
                                                                          2024-03-20 10:52:25 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          24192.168.2.549738119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:35 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: 3N+OWOC7QVBYyZxJTa95dg==
                                                                          2024-03-20 10:52:35 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=vI1TsHbFrw9jDdtM70SSg3-aJ74rQetwlcARk0mG.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:35 GMT
                                                                          2024-03-20 10:52:35 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          25192.168.2.549739119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:36 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: w+coMVxmqTHBeYxLkCWxaA==
                                                                          2024-03-20 10:52:37 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=rgjM4y0tsc1r08ifeeeKLNhmeaQ0C_09FbmX-TFc.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:36 GMT
                                                                          2024-03-20 10:52:37 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          26192.168.2.549740119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:46 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: uG8rQ8WHDRKy1uJwIegFIg==
                                                                          2024-03-20 10:52:47 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=wyZTtJSwTq2pnNJf6vsOIkozPfrrUQ_dGdMntpXA.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:47 GMT
                                                                          2024-03-20 10:52:47 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          27192.168.2.549741119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:47 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: YClmIY75KzN1bTQcf+bcJg==
                                                                          2024-03-20 10:52:48 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=SN4ZEggZepK7VhYj_Spt2m1PtO7TQfArYhiBc763.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:48 GMT
                                                                          2024-03-20 10:52:48 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          28192.168.2.549742119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:57 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: +yf5IUkAU3MZ9EhxqRkdSQ==
                                                                          2024-03-20 10:52:58 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=cNwsTfiZF5lYIeXepVlr-GJ1hBPCNVQszNZAKLIp.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:58 GMT
                                                                          2024-03-20 10:52:58 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          29192.168.2.549743119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:52:58 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: mkyZFH/MkXu0wmR8kAh4EA==
                                                                          2024-03-20 10:52:59 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=4PAld4L4XxCKQoUdpPDDkh70ni_bFkfXownmgZB9.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:52:59 GMT
                                                                          2024-03-20 10:52:59 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          30192.168.2.549744119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:09 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: SSvbBKsfTCgKzR0PoKC+NQ==
                                                                          2024-03-20 10:53:09 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=3HvG1oUhMPsXDZcw21J9lQ0uhtFbjIelskIwGSxI.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:09 GMT
                                                                          2024-03-20 10:53:09 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          31192.168.2.549745119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:10 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: m01UNCzrLHDF9bAo7l38Kw==
                                                                          2024-03-20 10:53:10 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=Agup0NCuUeWnKPZ-cQMRvceaCujS7_vgorVsPgTZ.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:10 GMT
                                                                          2024-03-20 10:53:10 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          32192.168.2.549746119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:20 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: beJlBoaEBnWpfthTDuBmNw==
                                                                          2024-03-20 10:53:21 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=tdVl9F94J5_czulh3f1qdnE_X1Z283bwkW4krHWj.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:20 GMT
                                                                          2024-03-20 10:53:21 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          33192.168.2.549747119.8.47.97443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:21 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: DZcBL4vzvTm+DZE9+xTdTQ==
                                                                          2024-03-20 10:53:22 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=t9253wntXF067KFu2K9-i_Ex5I1rvfv9gzaAy7Rf.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:22 GMT
                                                                          2024-03-20 10:53:22 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          34192.168.2.549748119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:31 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: x7G4OczQ+yNPPNYJ6kOCXA==
                                                                          2024-03-20 10:53:32 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=fcWG80gknShLoFGouVKzZojNkdvDh6ANBZJ08Wz5.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:32 GMT
                                                                          2024-03-20 10:53:32 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          35192.168.2.549749119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:32 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: 9IS/FLMNKB63WpA5rAhtNw==
                                                                          2024-03-20 10:53:33 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=oims2NL9Z-C0MgBdQUI_Y9WUude0mKA2glANgdNy.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:33 GMT
                                                                          2024-03-20 10:53:33 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          36192.168.2.549750119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:42 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: dKkrZez1mjrnXJluXooFCA==
                                                                          2024-03-20 10:53:43 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=WqB2j8mvbo9F6xl6N3uQJhPA0NxC6YcWT-AaMnu8.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:43 GMT
                                                                          2024-03-20 10:53:43 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          37192.168.2.549751119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:44 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: EVQFTYM/XUMj8y127qJCRw==
                                                                          2024-03-20 10:53:44 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=RzXbIqszSA-rA-yFM-K4R0Rp7XcOTsAsF1LDQz6m.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:44 GMT
                                                                          2024-03-20 10:53:44 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          38192.168.2.549752119.8.47.974436056C:\Windows\SysWOW64\rundll32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:54 UTC255OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: BYg5cUonXixA8AxSrtjCJQ==
                                                                          2024-03-20 10:53:55 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=NANqImkKImWA67QUdt4MOcvbadoQq4IPGaJOUpJu.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:54 GMT
                                                                          2024-03-20 10:53:55 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          39192.168.2.549753119.8.47.974432924C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-03-20 10:53:55 UTC264OUTGET /?encoding=utf8 HTTP/1.1
                                                                          Host: push.mobilefonex.com
                                                                          Origin: https://push.mobilefonex.com
                                                                          deviceId: 4953fa9c79e97e8601886c5ba93b6ec1_watchdog
                                                                          Connection: Upgrade
                                                                          Upgrade: websocket
                                                                          Sec-WebSocket-Version: 13
                                                                          Sec-WebSocket-Key: WHSlChQsUEDWLbIK9lZ6cA==
                                                                          2024-03-20 10:53:56 UTC245INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          X-Powered-By: JSP/2.3
                                                                          Set-Cookie: JSESSIONID=QnMV0lpmukVu0Pu1jXJzbHuWDQFnK0bFY2nt43vX.push; path=/
                                                                          Content-Type: text/html;charset=ISO-8859-1
                                                                          Content-Language: en-US
                                                                          Date: Wed, 20 Mar 2024 10:53:55 GMT
                                                                          2024-03-20 10:53:56 UTC6953INData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 50 75 73 68 20 53 65 72 76 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 0a 0a 0a 0a 3c 21 44 4f
                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Welcome to Push Server</title></head><body><!DO


                                                                          Code Manipulations

                                                                          User Modules

                                                                          Hook Summary

                                                                          Function NameHook TypeActive in Processes
                                                                          NtOpenFileINLINEexplorer.exe
                                                                          NtQuerySystemInformationINLINEexplorer.exe
                                                                          ZwQuerySystemInformationINLINEexplorer.exe
                                                                          RtlGetNativeSystemInformationINLINEexplorer.exe
                                                                          ZwOpenFileINLINEexplorer.exe
                                                                          Process32FirstWINLINEexplorer.exe
                                                                          Process32NextINLINEexplorer.exe
                                                                          Process32NextWINLINEexplorer.exe
                                                                          Process32FirstINLINEexplorer.exe
                                                                          connectINLINEexplorer.exe
                                                                          sendtoINLINEexplorer.exe
                                                                          WSAConnectINLINEexplorer.exe
                                                                          closesocketINLINEexplorer.exe

                                                                          Processes

                                                                          Process: explorer.exe, Module: ntdll.dll
                                                                          Function NameHook TypeNew Data
                                                                          NtOpenFileINLINE0xE9 0x98 0x8B 0xB4 0x43 0x39
                                                                          NtQuerySystemInformationINLINE0xE9 0x9A 0xAB 0xB2 0x21 0x19
                                                                          ZwQuerySystemInformationINLINE0xE9 0x9A 0xAB 0xB2 0x21 0x19
                                                                          RtlGetNativeSystemInformationINLINE0xE9 0x9A 0xAB 0xB2 0x21 0x19
                                                                          ZwOpenFileINLINE0xE9 0x98 0x8B 0xB4 0x43 0x39
                                                                          Process: explorer.exe, Module: KERNEL32.DLL
                                                                          Function NameHook TypeNew Data
                                                                          Process32FirstWINLINE0xE9 0x94 0x4B 0xBD 0xD4 0x43
                                                                          Process32NextINLINE0xE9 0x98 0x8B 0xBB 0xBD 0xD3
                                                                          Process32NextWINLINE0xE9 0x96 0x6B 0xBD 0xD7 0x73
                                                                          Process32FirstINLINE0xE9 0x9C 0xCB 0xBB 0xBD 0xD3
                                                                          Process: explorer.exe, Module: WS2_32.dll
                                                                          Function NameHook TypeNew Data
                                                                          connectINLINE0xE9 0x9B 0xBB 0xBC 0xCD 0xD6
                                                                          sendtoINLINE0xE9 0x96 0x6B 0xBD 0xD2 0x26
                                                                          WSAConnectINLINE0xE9 0x91 0x1B 0xBE 0xE6 0x66
                                                                          closesocketINLINE0xE9 0x92 0x2B 0xB9 0x9A 0xA6

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:11:49:56
                                                                          Start date:20/03/2024
                                                                          Path:C:\Users\user\Desktop\5006_2.6.2.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\5006_2.6.2.exe"
                                                                          Imagebase:0x400000
                                                                          File size:17'131'434 bytes
                                                                          MD5 hash:8541DA559ECB090CD768BC6F3173FFC4
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:11:49:56
                                                                          Start date:20/03/2024
                                                                          Path:C:\Users\user\AppData\Roaming\Windows Provisioning\antivirus_detector.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||
                                                                          Imagebase:0x9f0000
                                                                          File size:2'827'776 bytes
                                                                          MD5 hash:7BCC1F1DEB45BF58C7C559DFE3240E08
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:3
                                                                          Start time:11:50:06
                                                                          Start date:20/03/2024
                                                                          Path:C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1
                                                                          Imagebase:0x400000
                                                                          File size:16'131'606 bytes
                                                                          MD5 hash:2F61BD2AC7DC2252AD5743093CEB09DC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:11:50:09
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\post_install.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0
                                                                          Imagebase:0x5b0000
                                                                          File size:204'800 bytes
                                                                          MD5 hash:52A76696B447635922D8EC87D0DA7FEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:11:50:12
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\Windows Provisioning\svcAppUpdate.exe"
                                                                          Imagebase:0x6a0000
                                                                          File size:84'992 bytes
                                                                          MD5 hash:E53E0020D7FE34B1E8F75AF444E64C72
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:11:50:16
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\Windows Provisioning\svcAppInit.exe"
                                                                          Imagebase:0x800000
                                                                          File size:137'216 bytes
                                                                          MD5 hash:3135A7FEE1AD484104A1309104312D9E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:11:50:16
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\Windows Provisioning\svcAppLookup.exe"
                                                                          Imagebase:0x680000
                                                                          File size:610'816 bytes
                                                                          MD5 hash:794122A33A390FF07CA891B568110D10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:11:50:16
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\Windows Provisioning\nt_system_service.exe"
                                                                          Imagebase:0x870000
                                                                          File size:1'601'024 bytes
                                                                          MD5 hash:64F8F960D535AA6200E620C1DEF292FB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:10
                                                                          Start time:11:50:17
                                                                          Start date:20/03/2024
                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:rundll32.exe "C:\Program Files (x86)\Windows Provisioning\svcAppInit.dll",ProcessDll s=hidedialog
                                                                          Imagebase:0xed0000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: Windows_Ransomware_Hellokitty_d9391a1a, Description: unknown, Source: 0000000A.00000002.4464326614.000000006AAB1000.00000020.00000001.01000000.0000001B.sdmp, Author: unknown
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:11
                                                                          Start time:11:50:17
                                                                          Start date:20/03/2024
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\sysnative\rundll32.exe "C:\Program Files (x86)\Windows Provisioning\windows_hook_64.dll",ProcessDllStub
                                                                          Imagebase:0x7ff693c40000
                                                                          File size:71'680 bytes
                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:12
                                                                          Start time:11:50:17
                                                                          Start date:20/03/2024
                                                                          Path:C:\Program Files (x86)\Windows Provisioning\nss\certutil.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:nss\certutil -A -t "TCu" -i "C:\PROGRA~2\WIE901~1\app_data\DE_NET~1/SSL/DIGICE~1.CER" -n "de_netfilter/SSL/DigiCert SHA2 Extended Validation Server CA 3" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\V6ZCHH~1.DEF" -f pwfile
                                                                          Imagebase:0x980000
                                                                          File size:190'464 bytes
                                                                          MD5 hash:3337B8D5AAB06D9072E3D4A72E0F9D26
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:15%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:17.2%
                                                                            Total number of Nodes:1273
                                                                            Total number of Limit Nodes:20
                                                                            execution_graph 3366 401d41 3367 401d54 GetDlgItem 3366->3367 3368 401d47 3366->3368 3370 401d4e 3367->3370 3377 402b0a 3368->3377 3371 401d8f GetClientRect LoadImageA SendMessageA 3370->3371 3372 402b2c 17 API calls 3370->3372 3374 4029b8 3371->3374 3375 401deb 3371->3375 3372->3371 3375->3374 3376 401df3 DeleteObject 3375->3376 3376->3374 3378 406032 17 API calls 3377->3378 3379 402b1f 3378->3379 3379->3370 3380 401746 3381 402b2c 17 API calls 3380->3381 3382 40174d 3381->3382 3383 405bd8 2 API calls 3382->3383 3384 401754 3383->3384 3384->3384 3385 401947 3386 402b2c 17 API calls 3385->3386 3387 40194e lstrlenA 3386->3387 3388 4025e4 3387->3388 3389 401fc8 3390 402b2c 17 API calls 3389->3390 3391 401fcf 3390->3391 3392 4063a8 5 API calls 3391->3392 3393 401fde 3392->3393 3394 401ff6 GlobalAlloc 3393->3394 3395 40205e 3393->3395 3394->3395 3396 40200a 3394->3396 3397 4063a8 5 API calls 3396->3397 3398 402011 3397->3398 3399 4063a8 5 API calls 3398->3399 3400 40201b 3399->3400 3400->3395 3404 405f6e wsprintfA 3400->3404 3402 402052 3405 405f6e wsprintfA 3402->3405 3404->3402 3405->3395 3406 4025c8 3407 402b2c 17 API calls 3406->3407 3408 4025cf 3407->3408 3411 405ba9 GetFileAttributesA CreateFileA 3408->3411 3410 4025db 3411->3410 3412 403bca 3413 403be2 3412->3413 3414 403d1d 3412->3414 3413->3414 3415 403bee 3413->3415 3416 403d6e 3414->3416 3417 403d2e GetDlgItem GetDlgItem 3414->3417 3418 403bf9 SetWindowPos 3415->3418 3419 403c0c 3415->3419 3421 403dc8 3416->3421 3429 401389 2 API calls 3416->3429 3498 40409e 3417->3498 3418->3419 3423 403c11 ShowWindow 3419->3423 3424 403c29 3419->3424 3422 4040ea SendMessageA 3421->3422 3442 403d18 3421->3442 3451 403dda 3422->3451 3423->3424 3426 403c31 DestroyWindow 3424->3426 3427 403c4b 3424->3427 3425 403d58 SetClassLongA 3428 40140b 2 API calls 3425->3428 3480 404027 3426->3480 3430 403c50 SetWindowLongA 3427->3430 3431 403c61 3427->3431 3428->3416 3432 403da0 3429->3432 3430->3442 3436 403cd8 3431->3436 3437 403c6d GetDlgItem 3431->3437 3432->3421 3433 403da4 SendMessageA 3432->3433 3433->3442 3434 40140b 2 API calls 3434->3451 3435 404029 DestroyWindow EndDialog 3435->3480 3484 404105 3436->3484 3440 403c80 SendMessageA IsWindowEnabled 3437->3440 3441 403c9d 3437->3441 3439 404058 ShowWindow 3439->3442 3440->3441 3440->3442 3444 403caa 3441->3444 3445 403cf1 SendMessageA 3441->3445 3446 403cbd 3441->3446 3454 403ca2 3441->3454 3443 406032 17 API calls 3443->3451 3444->3445 3444->3454 3445->3436 3449 403cc5 3446->3449 3450 403cda 3446->3450 3448 40409e 18 API calls 3448->3451 3452 40140b 2 API calls 3449->3452 3453 40140b 2 API calls 3450->3453 3451->3434 3451->3435 3451->3442 3451->3443 3451->3448 3455 40409e 18 API calls 3451->3455 3471 403f69 DestroyWindow 3451->3471 3452->3454 3453->3454 3454->3436 3481 404077 3454->3481 3456 403e55 GetDlgItem 3455->3456 3457 403e72 ShowWindow EnableWindow 3456->3457 3458 403e6a 3456->3458 3501 4040c0 EnableWindow 3457->3501 3458->3457 3460 403e9c EnableWindow 3465 403eb0 3460->3465 3461 403eb5 GetSystemMenu EnableMenuItem SendMessageA 3462 403ee5 SendMessageA 3461->3462 3461->3465 3462->3465 3464 403bab 18 API calls 3464->3465 3465->3461 3465->3464 3502 4040d3 SendMessageA 3465->3502 3503 406010 lstrcpynA 3465->3503 3467 403f14 lstrlenA 3468 406032 17 API calls 3467->3468 3469 403f25 SetWindowTextA 3468->3469 3470 401389 2 API calls 3469->3470 3470->3451 3472 403f83 CreateDialogParamA 3471->3472 3471->3480 3473 403fb6 3472->3473 3472->3480 3474 40409e 18 API calls 3473->3474 3475 403fc1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3474->3475 3476 401389 2 API calls 3475->3476 3477 404007 3476->3477 3477->3442 3478 40400f ShowWindow 3477->3478 3479 4040ea SendMessageA 3478->3479 3479->3480 3480->3439 3480->3442 3482 404084 SendMessageA 3481->3482 3483 40407e 3481->3483 3482->3436 3483->3482 3485 4041c8 3484->3485 3486 40411d GetWindowLongA 3484->3486 3485->3442 3486->3485 3487 404132 3486->3487 3487->3485 3488 404162 3487->3488 3489 40415f GetSysColor 3487->3489 3490 404172 SetBkMode 3488->3490 3491 404168 SetTextColor 3488->3491 3489->3488 3492 404190 3490->3492 3493 40418a GetSysColor 3490->3493 3491->3490 3494 4041a1 3492->3494 3495 404197 SetBkColor 3492->3495 3493->3492 3494->3485 3496 4041b4 DeleteObject 3494->3496 3497 4041bb CreateBrushIndirect 3494->3497 3495->3494 3496->3497 3497->3485 3499 406032 17 API calls 3498->3499 3500 4040a9 SetDlgItemTextA 3499->3500 3500->3425 3501->3460 3502->3465 3503->3467 3507 40254c 3517 402b6c 3507->3517 3510 402b0a 17 API calls 3511 40255f 3510->3511 3512 402586 RegEnumValueA 3511->3512 3513 40257a RegEnumKeyA 3511->3513 3515 402783 3511->3515 3514 40259b RegCloseKey 3512->3514 3513->3514 3514->3515 3518 402b2c 17 API calls 3517->3518 3519 402b83 3518->3519 3520 405e96 RegOpenKeyExA 3519->3520 3521 402556 3520->3521 3521->3510 2803 403753 2804 40376b 2803->2804 2805 40375d CloseHandle 2803->2805 2810 403798 2804->2810 2805->2804 2811 4037a6 2810->2811 2812 403770 2811->2812 2813 4037ab FreeLibrary GlobalFree 2811->2813 2814 4057d8 2812->2814 2813->2812 2813->2813 2851 405a96 2814->2851 2817 405800 DeleteFileA 2818 40377c 2817->2818 2819 405817 2820 405945 2819->2820 2865 406010 lstrcpynA 2819->2865 2820->2818 2898 406313 FindFirstFileA 2820->2898 2822 40583d 2823 405850 2822->2823 2824 405843 lstrcatA 2822->2824 2866 4059ef lstrlenA 2823->2866 2826 405856 2824->2826 2829 405864 lstrcatA 2826->2829 2830 40586f lstrlenA FindFirstFileA 2826->2830 2829->2830 2830->2820 2849 405893 2830->2849 2834 405790 5 API calls 2835 40597f 2834->2835 2836 405983 2835->2836 2837 405999 2835->2837 2836->2818 2842 405137 24 API calls 2836->2842 2838 405137 24 API calls 2837->2838 2838->2818 2839 405924 FindNextFileA 2841 40593c FindClose 2839->2841 2839->2849 2841->2820 2843 405990 2842->2843 2844 405def 36 API calls 2843->2844 2844->2818 2846 4057d8 60 API calls 2846->2849 2847 405137 24 API calls 2847->2839 2849->2839 2849->2846 2849->2847 2870 4059d3 2849->2870 2874 406010 lstrcpynA 2849->2874 2875 405790 2849->2875 2883 405137 2849->2883 2894 405def MoveFileExA 2849->2894 2904 406010 lstrcpynA 2851->2904 2853 405aa7 2905 405a41 CharNextA CharNextA 2853->2905 2856 4057f8 2856->2817 2856->2819 2858 405ae8 lstrlenA 2859 405af3 2858->2859 2863 405abd 2858->2863 2860 4059a8 3 API calls 2859->2860 2862 405af8 GetFileAttributesA 2860->2862 2861 406313 2 API calls 2861->2863 2862->2856 2863->2856 2863->2858 2863->2861 2864 4059ef 2 API calls 2863->2864 2864->2858 2865->2822 2867 4059fc 2866->2867 2868 405a01 CharPrevA 2867->2868 2869 405a0d 2867->2869 2868->2867 2868->2869 2869->2826 2871 4059d9 2870->2871 2872 4059ec 2871->2872 2873 4059df CharNextA 2871->2873 2872->2849 2873->2871 2874->2849 2920 405b84 GetFileAttributesA 2875->2920 2878 4057b3 DeleteFileA 2880 4057b9 2878->2880 2879 4057ab RemoveDirectoryA 2879->2880 2881 4057bd 2880->2881 2882 4057c9 SetFileAttributesA 2880->2882 2881->2849 2882->2881 2884 405152 2883->2884 2893 4051f5 2883->2893 2885 40516f lstrlenA 2884->2885 2923 406032 2884->2923 2886 405198 2885->2886 2887 40517d lstrlenA 2885->2887 2890 4051ab 2886->2890 2891 40519e SetWindowTextA 2886->2891 2889 40518f lstrcatA 2887->2889 2887->2893 2889->2886 2892 4051b1 SendMessageA SendMessageA SendMessageA 2890->2892 2890->2893 2891->2890 2892->2893 2893->2849 2895 405e03 2894->2895 2897 405e10 2894->2897 2952 405c7f 2895->2952 2897->2849 2899 405969 2898->2899 2900 406329 FindClose 2898->2900 2899->2818 2901 4059a8 lstrlenA CharPrevA 2899->2901 2900->2899 2902 4059c2 lstrcatA 2901->2902 2903 405973 2901->2903 2902->2903 2903->2834 2904->2853 2906 405a5c 2905->2906 2909 405a6c 2905->2909 2908 405a67 CharNextA 2906->2908 2906->2909 2907 405a8c 2907->2856 2911 40627a 2907->2911 2908->2907 2909->2907 2910 4059d3 CharNextA 2909->2910 2910->2909 2918 406286 2911->2918 2912 4062f2 CharPrevA 2914 4062ee 2912->2914 2913 4062e3 CharNextA 2913->2914 2913->2918 2914->2912 2915 40630d 2914->2915 2915->2863 2916 4059d3 CharNextA 2916->2918 2917 4062d1 CharNextA 2917->2918 2918->2913 2918->2914 2918->2916 2918->2917 2919 4062de CharNextA 2918->2919 2919->2913 2921 40579c 2920->2921 2922 405b96 SetFileAttributesA 2920->2922 2921->2878 2921->2879 2921->2881 2922->2921 2931 40603f 2923->2931 2924 406261 2925 406276 2924->2925 2947 406010 lstrcpynA 2924->2947 2925->2885 2927 40623b lstrlenA 2927->2931 2928 406032 10 API calls 2928->2927 2931->2924 2931->2927 2931->2928 2933 406157 GetSystemDirectoryA 2931->2933 2934 40616a GetWindowsDirectoryA 2931->2934 2935 40627a 5 API calls 2931->2935 2936 406032 10 API calls 2931->2936 2937 4061e4 lstrcatA 2931->2937 2938 40619e SHGetSpecialFolderLocation 2931->2938 2940 405ef7 2931->2940 2945 405f6e wsprintfA 2931->2945 2946 406010 lstrcpynA 2931->2946 2933->2931 2934->2931 2935->2931 2936->2931 2937->2931 2938->2931 2939 4061b6 SHGetPathFromIDListA CoTaskMemFree 2938->2939 2939->2931 2948 405e96 2940->2948 2943 405f5a 2943->2931 2944 405f2b RegQueryValueExA RegCloseKey 2944->2943 2945->2931 2946->2931 2947->2925 2949 405ea5 2948->2949 2950 405ea9 2949->2950 2951 405eae RegOpenKeyExA 2949->2951 2950->2943 2950->2944 2951->2950 2953 405ca5 2952->2953 2954 405ccb GetShortPathNameA 2952->2954 2979 405ba9 GetFileAttributesA CreateFileA 2953->2979 2955 405ce0 2954->2955 2956 405dea 2954->2956 2955->2956 2958 405ce8 wsprintfA 2955->2958 2956->2897 2961 406032 17 API calls 2958->2961 2959 405caf CloseHandle GetShortPathNameA 2959->2956 2960 405cc3 2959->2960 2960->2954 2960->2956 2962 405d10 2961->2962 2980 405ba9 GetFileAttributesA CreateFileA 2962->2980 2964 405d1d 2964->2956 2965 405d2c GetFileSize GlobalAlloc 2964->2965 2966 405de3 CloseHandle 2965->2966 2967 405d4e 2965->2967 2966->2956 2981 405c21 ReadFile 2967->2981 2972 405d81 2975 405b0e 4 API calls 2972->2975 2973 405d6d lstrcpyA 2974 405d8f 2973->2974 2976 405dc6 SetFilePointer 2974->2976 2975->2974 2988 405c50 WriteFile 2976->2988 2979->2959 2980->2964 2982 405c3f 2981->2982 2982->2966 2983 405b0e lstrlenA 2982->2983 2984 405b4f lstrlenA 2983->2984 2985 405b28 lstrcmpiA 2984->2985 2987 405b57 2984->2987 2986 405b46 CharNextA 2985->2986 2985->2987 2986->2984 2987->2972 2987->2973 2989 405c6e GlobalFree 2988->2989 2989->2966 3522 4041d4 lstrcpynA lstrlenA 3523 4014d6 3524 402b0a 17 API calls 3523->3524 3525 4014dc Sleep 3524->3525 3527 4029b8 3525->3527 2990 401759 3028 402b2c 2990->3028 2992 401760 2993 401786 2992->2993 2994 40177e 2992->2994 3056 406010 lstrcpynA 2993->3056 3055 406010 lstrcpynA 2994->3055 2997 401784 3001 40627a 5 API calls 2997->3001 2998 401791 2999 4059a8 3 API calls 2998->2999 3000 401797 lstrcatA 2999->3000 3000->2997 3011 4017a3 3001->3011 3002 406313 2 API calls 3002->3011 3003 405b84 2 API calls 3003->3011 3005 4017ba CompareFileTime 3005->3011 3006 40187e 3007 405137 24 API calls 3006->3007 3009 401888 3007->3009 3008 405137 24 API calls 3010 40186a 3008->3010 3035 402ffb 3009->3035 3011->3002 3011->3003 3011->3005 3011->3006 3013 406010 lstrcpynA 3011->3013 3016 406032 17 API calls 3011->3016 3027 401855 3011->3027 3034 405ba9 GetFileAttributesA CreateFileA 3011->3034 3057 40572c 3011->3057 3013->3011 3015 4018af SetFileTime 3017 4018c1 FindCloseChangeNotification 3015->3017 3016->3011 3017->3010 3018 4018d2 3017->3018 3019 4018d7 3018->3019 3020 4018ea 3018->3020 3022 406032 17 API calls 3019->3022 3021 406032 17 API calls 3020->3021 3023 4018f2 3021->3023 3025 4018df lstrcatA 3022->3025 3026 40572c MessageBoxIndirectA 3023->3026 3025->3023 3026->3010 3027->3008 3027->3010 3029 402b38 3028->3029 3030 406032 17 API calls 3029->3030 3031 402b59 3030->3031 3032 402b65 3031->3032 3033 40627a 5 API calls 3031->3033 3032->2992 3033->3032 3034->3011 3036 403011 3035->3036 3037 40303f 3036->3037 3064 403223 SetFilePointer 3036->3064 3061 40320d 3037->3061 3041 4031a6 3043 4031e8 3041->3043 3048 4031aa 3041->3048 3042 40305c GetTickCount 3044 40189b 3042->3044 3051 4030ab 3042->3051 3046 40320d ReadFile 3043->3046 3044->3015 3044->3017 3045 40320d ReadFile 3045->3051 3046->3044 3047 40320d ReadFile 3047->3048 3048->3044 3048->3047 3049 405c50 WriteFile 3048->3049 3049->3048 3050 403101 GetTickCount 3050->3051 3051->3044 3051->3045 3051->3050 3052 403126 MulDiv wsprintfA 3051->3052 3054 405c50 WriteFile 3051->3054 3053 405137 24 API calls 3052->3053 3053->3051 3054->3051 3055->2997 3056->2998 3060 405741 3057->3060 3058 40578d 3058->3011 3059 405755 MessageBoxIndirectA 3059->3058 3060->3058 3060->3059 3062 405c21 ReadFile 3061->3062 3063 40304a 3062->3063 3063->3041 3063->3042 3063->3044 3064->3037 3528 401659 3529 402b2c 17 API calls 3528->3529 3530 40165f 3529->3530 3531 406313 2 API calls 3530->3531 3532 401665 3531->3532 3533 401959 3534 402b0a 17 API calls 3533->3534 3535 401960 3534->3535 3536 402b0a 17 API calls 3535->3536 3537 40196d 3536->3537 3538 402b2c 17 API calls 3537->3538 3539 401984 lstrlenA 3538->3539 3540 401994 3539->3540 3541 4019d4 3540->3541 3545 406010 lstrcpynA 3540->3545 3543 4019c4 3543->3541 3544 4019c9 lstrlenA 3543->3544 3544->3541 3545->3543 3546 401cda 3547 402b0a 17 API calls 3546->3547 3548 401ce0 IsWindow 3547->3548 3549 401a0e 3548->3549 3550 4024da 3551 402b6c 17 API calls 3550->3551 3552 4024e4 3551->3552 3553 402b2c 17 API calls 3552->3553 3554 4024ed 3553->3554 3555 4024f7 RegQueryValueExA 3554->3555 3560 402783 3554->3560 3556 40251d RegCloseKey 3555->3556 3557 402517 3555->3557 3556->3560 3557->3556 3561 405f6e wsprintfA 3557->3561 3561->3556 3562 402cdd 3563 402d05 3562->3563 3564 402cec SetTimer 3562->3564 3565 402d5a 3563->3565 3566 402d1f MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3563->3566 3564->3563 3566->3565 3567 401a5e 3568 402b0a 17 API calls 3567->3568 3569 401a67 3568->3569 3570 402b0a 17 API calls 3569->3570 3571 401a0e 3570->3571 3572 401563 3573 402960 3572->3573 3576 405f6e wsprintfA 3573->3576 3575 402965 3576->3575 3577 401b63 3578 401b70 3577->3578 3579 401bb4 3577->3579 3580 40233b 3578->3580 3586 401b87 3578->3586 3581 401bb8 3579->3581 3582 401bdd GlobalAlloc 3579->3582 3584 406032 17 API calls 3580->3584 3592 401bf8 3581->3592 3598 406010 lstrcpynA 3581->3598 3583 406032 17 API calls 3582->3583 3583->3592 3585 402348 3584->3585 3590 40572c MessageBoxIndirectA 3585->3590 3596 406010 lstrcpynA 3586->3596 3588 401bca GlobalFree 3588->3592 3590->3592 3591 401b96 3597 406010 lstrcpynA 3591->3597 3594 401ba5 3599 406010 lstrcpynA 3594->3599 3596->3591 3597->3594 3598->3588 3599->3592 3600 402363 3601 402371 3600->3601 3602 40236b 3600->3602 3603 402381 3601->3603 3605 402b2c 17 API calls 3601->3605 3604 402b2c 17 API calls 3602->3604 3606 40238f 3603->3606 3607 402b2c 17 API calls 3603->3607 3604->3601 3605->3603 3608 402b2c 17 API calls 3606->3608 3607->3606 3609 402398 WritePrivateProfileStringA 3608->3609 3610 402765 3611 402b2c 17 API calls 3610->3611 3612 40276c FindFirstFileA 3611->3612 3613 40278f 3612->3613 3614 40277f 3612->3614 3618 405f6e wsprintfA 3613->3618 3616 402796 3619 406010 lstrcpynA 3616->3619 3618->3616 3619->3614 3620 4023e8 3621 40241a 3620->3621 3622 4023ef 3620->3622 3624 402b2c 17 API calls 3621->3624 3623 402b6c 17 API calls 3622->3623 3626 4023f6 3623->3626 3625 402421 3624->3625 3631 402bea 3625->3631 3628 402b2c 17 API calls 3626->3628 3629 40242e 3626->3629 3630 402407 RegDeleteValueA RegCloseKey 3628->3630 3630->3629 3632 402bfd 3631->3632 3634 402bf6 3631->3634 3632->3634 3635 402c2e 3632->3635 3634->3629 3636 405e96 RegOpenKeyExA 3635->3636 3637 402c5c 3636->3637 3638 402c82 RegEnumKeyA 3637->3638 3639 402c99 RegCloseKey 3637->3639 3640 402cba RegCloseKey 3637->3640 3643 402c2e 6 API calls 3637->3643 3645 402cad 3637->3645 3638->3637 3638->3639 3641 4063a8 5 API calls 3639->3641 3640->3645 3642 402ca9 3641->3642 3644 402cca RegDeleteKeyA 3642->3644 3642->3645 3643->3637 3644->3645 3645->3634 3646 4044e9 3647 4044f9 3646->3647 3648 40451f 3646->3648 3649 40409e 18 API calls 3647->3649 3650 404105 8 API calls 3648->3650 3651 404506 SetDlgItemTextA 3649->3651 3652 40452b 3650->3652 3651->3648 3653 40166a 3654 402b2c 17 API calls 3653->3654 3655 401671 3654->3655 3656 402b2c 17 API calls 3655->3656 3657 40167a 3656->3657 3658 402b2c 17 API calls 3657->3658 3659 401683 MoveFileA 3658->3659 3660 401696 3659->3660 3661 40168f 3659->3661 3662 406313 2 API calls 3660->3662 3665 4022a9 3660->3665 3663 401423 24 API calls 3661->3663 3664 4016a5 3662->3664 3663->3665 3664->3665 3666 405def 36 API calls 3664->3666 3666->3661 3667 40206a 3668 40207c 3667->3668 3677 40212a 3667->3677 3669 402b2c 17 API calls 3668->3669 3671 402083 3669->3671 3670 401423 24 API calls 3678 4022a9 3670->3678 3672 402b2c 17 API calls 3671->3672 3673 40208c 3672->3673 3674 4020a1 LoadLibraryExA 3673->3674 3675 402094 GetModuleHandleA 3673->3675 3676 4020b1 GetProcAddress 3674->3676 3674->3677 3675->3674 3675->3676 3679 4020c0 3676->3679 3680 4020fd 3676->3680 3677->3670 3682 401423 24 API calls 3679->3682 3683 4020d0 3679->3683 3681 405137 24 API calls 3680->3681 3681->3683 3682->3683 3683->3678 3684 40211e FreeLibrary 3683->3684 3684->3678 3685 4025ea 3686 402603 3685->3686 3687 4025ef 3685->3687 3689 402b2c 17 API calls 3686->3689 3688 402b0a 17 API calls 3687->3688 3691 4025f8 3688->3691 3690 40260a lstrlenA 3689->3690 3690->3691 3692 405c50 WriteFile 3691->3692 3693 40262c 3691->3693 3692->3693 3069 40326b SetErrorMode GetVersion 3070 4032ac 3069->3070 3071 4032b2 3069->3071 3072 4063a8 5 API calls 3070->3072 3158 40633a GetSystemDirectoryA 3071->3158 3072->3071 3074 4032c8 lstrlenA 3074->3071 3075 4032d7 3074->3075 3161 4063a8 GetModuleHandleA 3075->3161 3078 4063a8 5 API calls 3079 4032e5 3078->3079 3080 4063a8 5 API calls 3079->3080 3081 4032f1 #17 OleInitialize SHGetFileInfoA 3080->3081 3167 406010 lstrcpynA 3081->3167 3084 40333d GetCommandLineA 3168 406010 lstrcpynA 3084->3168 3086 40334f 3087 4059d3 CharNextA 3086->3087 3088 403378 CharNextA 3087->3088 3100 403388 3088->3100 3089 403452 3090 403465 GetTempPathA 3089->3090 3169 40323a 3090->3169 3092 40347d 3094 403481 GetWindowsDirectoryA lstrcatA 3092->3094 3095 4034d7 DeleteFileA 3092->3095 3093 4059d3 CharNextA 3093->3100 3097 40323a 12 API calls 3094->3097 3179 402dc4 GetTickCount GetModuleFileNameA 3095->3179 3101 40349d 3097->3101 3098 403454 3271 406010 lstrcpynA 3098->3271 3099 4034eb 3103 403585 ExitProcess OleUninitialize 3099->3103 3106 403571 3099->3106 3111 4059d3 CharNextA 3099->3111 3100->3089 3100->3093 3100->3098 3101->3095 3102 4034a1 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3101->3102 3105 40323a 12 API calls 3102->3105 3107 4036b9 3103->3107 3108 40359b 3103->3108 3109 4034cf 3105->3109 3207 40382d 3106->3207 3113 4036c1 GetCurrentProcess OpenProcessToken 3107->3113 3114 40373b ExitProcess 3107->3114 3112 40572c MessageBoxIndirectA 3108->3112 3109->3095 3109->3103 3118 403506 3111->3118 3120 4035a9 ExitProcess 3112->3120 3115 40370c 3113->3115 3116 4036dc LookupPrivilegeValueA AdjustTokenPrivileges 3113->3116 3121 4063a8 5 API calls 3115->3121 3116->3115 3117 403581 3117->3103 3123 4035b1 3118->3123 3124 40354c 3118->3124 3122 403713 3121->3122 3125 403728 ExitWindowsEx 3122->3125 3129 403734 3122->3129 3264 405697 3123->3264 3127 405a96 18 API calls 3124->3127 3125->3114 3125->3129 3128 403557 3127->3128 3128->3103 3272 406010 lstrcpynA 3128->3272 3283 40140b 3129->3283 3131 4035d2 lstrcatA lstrcmpiA 3131->3103 3134 4035ee 3131->3134 3132 4035c7 lstrcatA 3132->3131 3136 4035f3 3134->3136 3137 4035fa 3134->3137 3274 4055fd CreateDirectoryA 3136->3274 3279 40567a CreateDirectoryA 3137->3279 3138 403566 3273 406010 lstrcpynA 3138->3273 3143 4035ff SetCurrentDirectoryA 3144 403619 3143->3144 3145 40360e 3143->3145 3267 406010 lstrcpynA 3144->3267 3282 406010 lstrcpynA 3145->3282 3148 406032 17 API calls 3149 403658 DeleteFileA 3148->3149 3150 403665 CopyFileA 3149->3150 3155 403627 3149->3155 3150->3155 3151 4036ad 3153 405def 36 API calls 3151->3153 3152 405def 36 API calls 3152->3155 3153->3117 3154 406032 17 API calls 3154->3155 3155->3148 3155->3151 3155->3152 3155->3154 3157 403699 CloseHandle 3155->3157 3268 4056af CreateProcessA 3155->3268 3157->3155 3159 40635c wsprintfA LoadLibraryExA 3158->3159 3159->3074 3162 4063c4 3161->3162 3163 4063ce GetProcAddress 3161->3163 3165 40633a 3 API calls 3162->3165 3164 4032de 3163->3164 3164->3078 3166 4063ca 3165->3166 3166->3163 3166->3164 3167->3084 3168->3086 3170 40627a 5 API calls 3169->3170 3172 403246 3170->3172 3171 403250 3171->3092 3172->3171 3173 4059a8 3 API calls 3172->3173 3174 403258 3173->3174 3175 40567a 2 API calls 3174->3175 3176 40325e 3175->3176 3286 405bd8 3176->3286 3290 405ba9 GetFileAttributesA CreateFileA 3179->3290 3181 402e04 3205 402e14 3181->3205 3291 406010 lstrcpynA 3181->3291 3183 402e2a 3184 4059ef 2 API calls 3183->3184 3185 402e30 3184->3185 3292 406010 lstrcpynA 3185->3292 3187 402e3b GetFileSize 3188 402f35 3187->3188 3206 402e52 3187->3206 3293 402d60 3188->3293 3190 402f3e 3192 402f6e GlobalAlloc 3190->3192 3190->3205 3305 403223 SetFilePointer 3190->3305 3191 40320d ReadFile 3191->3206 3304 403223 SetFilePointer 3192->3304 3193 402fa1 3197 402d60 6 API calls 3193->3197 3196 402f89 3199 402ffb 31 API calls 3196->3199 3197->3205 3198 402f57 3200 40320d ReadFile 3198->3200 3203 402f95 3199->3203 3202 402f62 3200->3202 3201 402d60 6 API calls 3201->3206 3202->3192 3202->3205 3203->3203 3204 402fd2 SetFilePointer 3203->3204 3203->3205 3204->3205 3205->3099 3206->3188 3206->3191 3206->3193 3206->3201 3206->3205 3208 4063a8 5 API calls 3207->3208 3209 403841 3208->3209 3210 403847 3209->3210 3211 403859 3209->3211 3318 405f6e wsprintfA 3210->3318 3212 405ef7 3 API calls 3211->3212 3213 403884 3212->3213 3215 4038a2 lstrcatA 3213->3215 3217 405ef7 3 API calls 3213->3217 3216 403857 3215->3216 3310 403af2 3216->3310 3217->3215 3220 405a96 18 API calls 3221 4038d4 3220->3221 3222 40395d 3221->3222 3225 405ef7 3 API calls 3221->3225 3223 405a96 18 API calls 3222->3223 3224 403963 3223->3224 3227 403973 LoadImageA 3224->3227 3228 406032 17 API calls 3224->3228 3226 403900 3225->3226 3226->3222 3231 40391c lstrlenA 3226->3231 3234 4059d3 CharNextA 3226->3234 3229 403a19 3227->3229 3230 40399a RegisterClassA 3227->3230 3228->3227 3233 40140b 2 API calls 3229->3233 3232 4039d0 SystemParametersInfoA CreateWindowExA 3230->3232 3262 403a23 3230->3262 3235 403950 3231->3235 3236 40392a lstrcmpiA 3231->3236 3232->3229 3237 403a1f 3233->3237 3238 40391a 3234->3238 3240 4059a8 3 API calls 3235->3240 3236->3235 3239 40393a GetFileAttributesA 3236->3239 3242 403af2 18 API calls 3237->3242 3237->3262 3238->3231 3241 403946 3239->3241 3243 403956 3240->3243 3241->3235 3244 4059ef 2 API calls 3241->3244 3245 403a30 3242->3245 3319 406010 lstrcpynA 3243->3319 3244->3235 3247 403a3c ShowWindow 3245->3247 3248 403abf 3245->3248 3250 40633a 3 API calls 3247->3250 3320 405209 OleInitialize 3248->3320 3251 403a54 3250->3251 3253 403a62 GetClassInfoA 3251->3253 3256 40633a 3 API calls 3251->3256 3252 403ac5 3254 403ae1 3252->3254 3255 403ac9 3252->3255 3258 403a76 GetClassInfoA RegisterClassA 3253->3258 3259 403a8c DialogBoxParamA 3253->3259 3257 40140b 2 API calls 3254->3257 3261 40140b 2 API calls 3255->3261 3255->3262 3256->3253 3257->3262 3258->3259 3260 40140b 2 API calls 3259->3260 3263 403ab4 3260->3263 3261->3262 3262->3117 3263->3262 3265 4063a8 5 API calls 3264->3265 3266 4035b6 lstrcatA 3265->3266 3266->3131 3266->3132 3267->3155 3269 4056e2 CloseHandle 3268->3269 3270 4056ee 3268->3270 3269->3270 3270->3155 3271->3090 3272->3138 3273->3106 3275 4035f8 3274->3275 3276 40564e GetLastError 3274->3276 3275->3143 3276->3275 3277 40565d SetFileSecurityA 3276->3277 3277->3275 3278 405673 GetLastError 3277->3278 3278->3275 3280 40568a 3279->3280 3281 40568e GetLastError 3279->3281 3280->3143 3281->3280 3282->3144 3284 401389 2 API calls 3283->3284 3285 401420 3284->3285 3285->3114 3287 405be3 GetTickCount GetTempFileNameA 3286->3287 3288 405c10 3287->3288 3289 403269 3287->3289 3288->3287 3288->3289 3289->3092 3290->3181 3291->3183 3292->3187 3294 402d81 3293->3294 3295 402d69 3293->3295 3298 402d91 GetTickCount 3294->3298 3299 402d89 3294->3299 3296 402d72 DestroyWindow 3295->3296 3297 402d79 3295->3297 3296->3297 3297->3190 3301 402dc2 3298->3301 3302 402d9f CreateDialogParamA ShowWindow 3298->3302 3306 4063e4 3299->3306 3301->3190 3302->3301 3304->3196 3305->3198 3307 406401 PeekMessageA 3306->3307 3308 402d8f 3307->3308 3309 4063f7 DispatchMessageA 3307->3309 3308->3190 3309->3307 3311 403b06 3310->3311 3327 405f6e wsprintfA 3311->3327 3313 403b77 3328 403bab 3313->3328 3315 4038b2 3315->3220 3316 403b7c 3316->3315 3317 406032 17 API calls 3316->3317 3317->3316 3318->3216 3319->3222 3331 4040ea 3320->3331 3322 40522c 3326 405253 3322->3326 3334 401389 3322->3334 3323 4040ea SendMessageA 3324 405265 OleUninitialize 3323->3324 3324->3252 3326->3323 3327->3313 3329 406032 17 API calls 3328->3329 3330 403bb9 SetWindowTextA 3329->3330 3330->3316 3332 404102 3331->3332 3333 4040f3 SendMessageA 3331->3333 3332->3322 3333->3332 3336 401390 3334->3336 3335 4013fe 3335->3322 3336->3335 3337 4013cb MulDiv SendMessageA 3336->3337 3337->3336 3694 4037eb 3695 4037f6 3694->3695 3696 4037fa 3695->3696 3697 4037fd GlobalAlloc 3695->3697 3697->3696 3698 4019ed 3699 402b2c 17 API calls 3698->3699 3700 4019f4 3699->3700 3701 402b2c 17 API calls 3700->3701 3702 4019fd 3701->3702 3703 401a04 lstrcmpiA 3702->3703 3704 401a16 lstrcmpA 3702->3704 3705 401a0a 3703->3705 3704->3705 3706 40156f 3707 401586 3706->3707 3708 40157f ShowWindow 3706->3708 3709 401594 ShowWindow 3707->3709 3710 4029b8 3707->3710 3708->3707 3709->3710 3711 4026ef 3712 4026f6 3711->3712 3715 402965 3711->3715 3713 402b0a 17 API calls 3712->3713 3714 4026fd 3713->3714 3716 40270c SetFilePointer 3714->3716 3716->3715 3717 40271c 3716->3717 3719 405f6e wsprintfA 3717->3719 3719->3715 3720 4014f4 SetForegroundWindow 3721 4029b8 3720->3721 3722 405275 3723 405420 3722->3723 3724 405297 GetDlgItem GetDlgItem GetDlgItem 3722->3724 3726 405428 GetDlgItem CreateThread CloseHandle 3723->3726 3729 405450 3723->3729 3767 4040d3 SendMessageA 3724->3767 3726->3729 3727 405307 3736 40530e GetClientRect GetSystemMetrics SendMessageA SendMessageA 3727->3736 3728 40547e 3730 4054d9 3728->3730 3733 4054b2 ShowWindow 3728->3733 3734 40548e 3728->3734 3729->3728 3731 405466 ShowWindow ShowWindow 3729->3731 3732 40549f 3729->3732 3730->3732 3744 4054e6 SendMessageA 3730->3744 3769 4040d3 SendMessageA 3731->3769 3735 404105 8 API calls 3732->3735 3740 4054d2 3733->3740 3741 4054c4 3733->3741 3738 404077 SendMessageA 3734->3738 3739 4054ab 3735->3739 3742 405360 SendMessageA SendMessageA 3736->3742 3743 40537c 3736->3743 3738->3732 3746 404077 SendMessageA 3740->3746 3745 405137 24 API calls 3741->3745 3742->3743 3747 405381 SendMessageA 3743->3747 3748 40538f 3743->3748 3744->3739 3749 4054ff CreatePopupMenu 3744->3749 3745->3740 3746->3730 3747->3748 3750 40409e 18 API calls 3748->3750 3751 406032 17 API calls 3749->3751 3753 40539f 3750->3753 3752 40550f AppendMenuA 3751->3752 3754 405540 TrackPopupMenu 3752->3754 3755 40552d GetWindowRect 3752->3755 3756 4053a8 ShowWindow 3753->3756 3757 4053dc GetDlgItem SendMessageA 3753->3757 3754->3739 3758 40555c 3754->3758 3755->3754 3759 4053cb 3756->3759 3760 4053be ShowWindow 3756->3760 3757->3739 3761 405403 SendMessageA SendMessageA 3757->3761 3762 40557b SendMessageA 3758->3762 3768 4040d3 SendMessageA 3759->3768 3760->3759 3761->3739 3762->3762 3763 405598 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3762->3763 3765 4055ba SendMessageA 3763->3765 3765->3765 3766 4055dc GlobalUnlock SetClipboardData CloseClipboard 3765->3766 3766->3739 3767->3727 3768->3757 3769->3728 3770 401cfb 3771 402b0a 17 API calls 3770->3771 3772 401d02 3771->3772 3773 402b0a 17 API calls 3772->3773 3774 401d0e GetDlgItem 3773->3774 3775 4025e4 3774->3775 3776 4018fd 3777 401934 3776->3777 3778 402b2c 17 API calls 3777->3778 3779 401939 3778->3779 3780 4057d8 67 API calls 3779->3780 3781 401942 3780->3781 3782 401dff GetDC 3783 402b0a 17 API calls 3782->3783 3784 401e11 GetDeviceCaps MulDiv ReleaseDC 3783->3784 3785 402b0a 17 API calls 3784->3785 3786 401e42 3785->3786 3787 406032 17 API calls 3786->3787 3788 401e7f CreateFontIndirectA 3787->3788 3789 4025e4 3788->3789 3790 401000 3791 401037 BeginPaint GetClientRect 3790->3791 3792 40100c DefWindowProcA 3790->3792 3794 4010f3 3791->3794 3795 401179 3792->3795 3796 401073 CreateBrushIndirect FillRect DeleteObject 3794->3796 3797 4010fc 3794->3797 3796->3794 3798 401102 CreateFontIndirectA 3797->3798 3799 401167 EndPaint 3797->3799 3798->3799 3800 401112 6 API calls 3798->3800 3799->3795 3800->3799 3801 401900 3802 402b2c 17 API calls 3801->3802 3803 401907 3802->3803 3804 40572c MessageBoxIndirectA 3803->3804 3805 401910 3804->3805 3806 404881 3807 404891 3806->3807 3808 4048ad 3806->3808 3817 405710 GetDlgItemTextA 3807->3817 3810 4048e0 3808->3810 3811 4048b3 SHGetPathFromIDListA 3808->3811 3813 4048ca SendMessageA 3811->3813 3814 4048c3 3811->3814 3812 40489e SendMessageA 3812->3808 3813->3810 3815 40140b 2 API calls 3814->3815 3815->3813 3817->3812 3818 401502 3819 40150a 3818->3819 3821 40151d 3818->3821 3820 402b0a 17 API calls 3819->3820 3820->3821 3065 401389 3067 401390 3065->3067 3066 4013fe 3067->3066 3068 4013cb MulDiv SendMessageA 3067->3068 3068->3067 3822 404209 3823 40421f 3822->3823 3831 40432b 3822->3831 3825 40409e 18 API calls 3823->3825 3824 40439a 3826 404464 3824->3826 3827 4043a4 GetDlgItem 3824->3827 3828 404275 3825->3828 3833 404105 8 API calls 3826->3833 3829 404422 3827->3829 3830 4043ba 3827->3830 3832 40409e 18 API calls 3828->3832 3829->3826 3837 404434 3829->3837 3830->3829 3836 4043e0 SendMessageA LoadCursorA SetCursor 3830->3836 3831->3824 3831->3826 3834 40436f GetDlgItem SendMessageA 3831->3834 3835 404282 CheckDlgButton 3832->3835 3848 40445f 3833->3848 3855 4040c0 EnableWindow 3834->3855 3853 4040c0 EnableWindow 3835->3853 3859 4044ad 3836->3859 3842 40443a SendMessageA 3837->3842 3843 40444b 3837->3843 3839 404395 3856 404489 3839->3856 3842->3843 3847 404451 SendMessageA 3843->3847 3843->3848 3845 4042a0 GetDlgItem 3854 4040d3 SendMessageA 3845->3854 3847->3848 3850 4042b6 SendMessageA 3851 4042d4 GetSysColor 3850->3851 3852 4042dd SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3850->3852 3851->3852 3852->3848 3853->3845 3854->3850 3855->3839 3857 404497 3856->3857 3858 40449c SendMessageA 3856->3858 3857->3858 3858->3824 3862 4056f2 ShellExecuteExA 3859->3862 3861 404413 LoadCursorA SetCursor 3861->3829 3862->3861 3863 401c0a 3864 402b0a 17 API calls 3863->3864 3865 401c11 3864->3865 3866 402b0a 17 API calls 3865->3866 3867 401c1e 3866->3867 3868 401c33 3867->3868 3869 402b2c 17 API calls 3867->3869 3870 402b2c 17 API calls 3868->3870 3874 401c43 3868->3874 3869->3868 3870->3874 3871 401c9a 3873 402b2c 17 API calls 3871->3873 3872 401c4e 3875 402b0a 17 API calls 3872->3875 3876 401c9f 3873->3876 3874->3871 3874->3872 3877 401c53 3875->3877 3878 402b2c 17 API calls 3876->3878 3879 402b0a 17 API calls 3877->3879 3880 401ca8 FindWindowExA 3878->3880 3881 401c5f 3879->3881 3884 401cc6 3880->3884 3882 401c8a SendMessageA 3881->3882 3883 401c6c SendMessageTimeoutA 3881->3883 3882->3884 3883->3884 3885 401e8f 3886 402b0a 17 API calls 3885->3886 3887 401e95 3886->3887 3888 402b0a 17 API calls 3887->3888 3889 401ea1 3888->3889 3890 401eb8 EnableWindow 3889->3890 3891 401ead ShowWindow 3889->3891 3892 4029b8 3890->3892 3891->3892 3893 401490 3894 405137 24 API calls 3893->3894 3895 401497 3894->3895 3896 402993 SendMessageA 3897 4029b8 3896->3897 3898 4029ad InvalidateRect 3896->3898 3898->3897 3899 401f98 3900 402b2c 17 API calls 3899->3900 3901 401f9f 3900->3901 3902 406313 2 API calls 3901->3902 3903 401fa5 3902->3903 3905 401fb7 3903->3905 3906 405f6e wsprintfA 3903->3906 3906->3905 3362 40159d 3363 402b2c 17 API calls 3362->3363 3364 4015a4 SetFileAttributesA 3363->3364 3365 4015b6 3364->3365 3907 40641d WaitForSingleObject 3908 406437 3907->3908 3909 406449 GetExitCodeProcess 3908->3909 3910 4063e4 2 API calls 3908->3910 3911 40643e WaitForSingleObject 3910->3911 3911->3908 3912 40149d 3913 4014ab PostQuitMessage 3912->3913 3914 40234e 3912->3914 3913->3914 3915 401a1e 3916 402b2c 17 API calls 3915->3916 3917 401a27 ExpandEnvironmentStringsA 3916->3917 3918 401a3b 3917->3918 3920 401a4e 3917->3920 3919 401a40 lstrcmpA 3918->3919 3918->3920 3919->3920 3926 40171f 3927 402b2c 17 API calls 3926->3927 3928 401726 SearchPathA 3927->3928 3929 401741 3928->3929 3930 401d20 3931 402b0a 17 API calls 3930->3931 3932 401d2e SetWindowLongA 3931->3932 3933 4029b8 3932->3933 3934 402721 3935 402727 3934->3935 3936 40272f FindClose 3935->3936 3937 4029b8 3935->3937 3936->3937 3938 404aa3 GetDlgItem GetDlgItem 3939 404af9 7 API calls 3938->3939 3951 404d20 3938->3951 3940 404ba1 DeleteObject 3939->3940 3941 404b95 SendMessageA 3939->3941 3942 404bac 3940->3942 3941->3940 3943 404be3 3942->3943 3946 406032 17 API calls 3942->3946 3944 40409e 18 API calls 3943->3944 3947 404bf7 3944->3947 3945 404eae 3949 404ec0 3945->3949 3950 404eb8 SendMessageA 3945->3950 3952 404bc5 SendMessageA SendMessageA 3946->3952 3953 40409e 18 API calls 3947->3953 3948 404e02 3948->3945 3954 404e5b SendMessageA 3948->3954 3981 404d13 3948->3981 3957 404ee9 3949->3957 3961 404ed2 ImageList_Destroy 3949->3961 3962 404ed9 3949->3962 3950->3949 3951->3948 3977 404d8f 3951->3977 3991 4049f1 SendMessageA 3951->3991 3952->3942 3967 404c08 3953->3967 3959 404e70 SendMessageA 3954->3959 3954->3981 3955 404105 8 API calls 3960 4050a4 3955->3960 3956 404df4 SendMessageA 3956->3948 3966 405058 3957->3966 3985 404f24 3957->3985 3996 404a71 3957->3996 3965 404e83 3959->3965 3961->3962 3962->3957 3963 404ee2 GlobalFree 3962->3963 3963->3957 3964 404ce2 GetWindowLongA SetWindowLongA 3969 404cfb 3964->3969 3975 404e94 SendMessageA 3965->3975 3968 40506a ShowWindow GetDlgItem ShowWindow 3966->3968 3966->3981 3967->3964 3974 404c5a SendMessageA 3967->3974 3976 404cdd 3967->3976 3978 404c98 SendMessageA 3967->3978 3979 404cac SendMessageA 3967->3979 3968->3981 3970 404d00 ShowWindow 3969->3970 3971 404d18 3969->3971 3989 4040d3 SendMessageA 3970->3989 3990 4040d3 SendMessageA 3971->3990 3974->3967 3975->3945 3976->3964 3976->3969 3977->3948 3977->3956 3978->3967 3979->3967 3981->3955 3982 40502e InvalidateRect 3982->3966 3983 405044 3982->3983 4005 4049ac 3983->4005 3984 404f52 SendMessageA 3988 404f68 3984->3988 3985->3984 3985->3988 3987 404fdc SendMessageA SendMessageA 3987->3988 3988->3982 3988->3987 3989->3981 3990->3951 3992 404a50 SendMessageA 3991->3992 3993 404a14 GetMessagePos ScreenToClient SendMessageA 3991->3993 3994 404a48 3992->3994 3993->3994 3995 404a4d 3993->3995 3994->3977 3995->3992 4008 406010 lstrcpynA 3996->4008 3998 404a84 4009 405f6e wsprintfA 3998->4009 4000 404a8e 4001 40140b 2 API calls 4000->4001 4002 404a97 4001->4002 4010 406010 lstrcpynA 4002->4010 4004 404a9e 4004->3985 4011 4048e7 4005->4011 4007 4049c1 4007->3966 4008->3998 4009->4000 4010->4004 4012 4048fd 4011->4012 4013 406032 17 API calls 4012->4013 4014 404961 4013->4014 4015 406032 17 API calls 4014->4015 4016 40496c 4015->4016 4017 406032 17 API calls 4016->4017 4018 404982 lstrlenA wsprintfA SetDlgItemTextA 4017->4018 4018->4007 4019 4027a3 4020 402b2c 17 API calls 4019->4020 4021 4027b1 4020->4021 4022 4027c7 4021->4022 4023 402b2c 17 API calls 4021->4023 4024 405b84 2 API calls 4022->4024 4023->4022 4025 4027cd 4024->4025 4047 405ba9 GetFileAttributesA CreateFileA 4025->4047 4027 4027da 4028 4027e6 GlobalAlloc 4027->4028 4029 40287d 4027->4029 4030 402874 CloseHandle 4028->4030 4031 4027ff 4028->4031 4032 402885 DeleteFileA 4029->4032 4033 402898 4029->4033 4030->4029 4048 403223 SetFilePointer 4031->4048 4032->4033 4035 402805 4036 40320d ReadFile 4035->4036 4037 40280e GlobalAlloc 4036->4037 4038 402852 4037->4038 4039 40281e 4037->4039 4041 405c50 WriteFile 4038->4041 4040 402ffb 31 API calls 4039->4040 4042 40282b 4040->4042 4043 40285e GlobalFree 4041->4043 4045 402849 GlobalFree 4042->4045 4044 402ffb 31 API calls 4043->4044 4046 402871 4044->4046 4045->4038 4046->4030 4047->4027 4048->4035 4049 4023a7 4050 402b2c 17 API calls 4049->4050 4051 4023b8 4050->4051 4052 402b2c 17 API calls 4051->4052 4053 4023c1 4052->4053 4054 402b2c 17 API calls 4053->4054 4055 4023cb GetPrivateProfileStringA 4054->4055 4056 4050ab 4057 4050bb 4056->4057 4058 4050cf 4056->4058 4060 4050c1 4057->4060 4061 405118 4057->4061 4059 4050d7 IsWindowVisible 4058->4059 4063 4050ee 4058->4063 4059->4061 4062 4050e4 4059->4062 4065 4040ea SendMessageA 4060->4065 4064 40511d CallWindowProcA 4061->4064 4066 4049f1 5 API calls 4062->4066 4063->4064 4068 404a71 4 API calls 4063->4068 4067 4050cb 4064->4067 4065->4067 4066->4063 4068->4061 4069 40292c 4070 402b0a 17 API calls 4069->4070 4071 402932 4070->4071 4072 402944 4071->4072 4073 402967 4071->4073 4075 402783 4071->4075 4072->4075 4077 405f6e wsprintfA 4072->4077 4074 406032 17 API calls 4073->4074 4073->4075 4074->4075 4077->4075 4078 404530 4079 40455c 4078->4079 4080 40456d 4078->4080 4139 405710 GetDlgItemTextA 4079->4139 4082 404579 GetDlgItem 4080->4082 4089 4045d8 4080->4089 4085 40458d 4082->4085 4083 4046bc 4088 404866 4083->4088 4141 405710 GetDlgItemTextA 4083->4141 4084 404567 4086 40627a 5 API calls 4084->4086 4087 4045a1 SetWindowTextA 4085->4087 4091 405a41 4 API calls 4085->4091 4086->4080 4092 40409e 18 API calls 4087->4092 4095 404105 8 API calls 4088->4095 4089->4083 4089->4088 4093 406032 17 API calls 4089->4093 4097 404597 4091->4097 4098 4045bd 4092->4098 4099 40464c SHBrowseForFolderA 4093->4099 4094 4046ec 4100 405a96 18 API calls 4094->4100 4096 40487a 4095->4096 4097->4087 4104 4059a8 3 API calls 4097->4104 4101 40409e 18 API calls 4098->4101 4099->4083 4102 404664 CoTaskMemFree 4099->4102 4103 4046f2 4100->4103 4105 4045cb 4101->4105 4106 4059a8 3 API calls 4102->4106 4142 406010 lstrcpynA 4103->4142 4104->4087 4140 4040d3 SendMessageA 4105->4140 4108 404671 4106->4108 4111 4046a8 SetDlgItemTextA 4108->4111 4115 406032 17 API calls 4108->4115 4110 4045d1 4113 4063a8 5 API calls 4110->4113 4111->4083 4112 404709 4114 4063a8 5 API calls 4112->4114 4113->4089 4121 404710 4114->4121 4116 404690 lstrcmpiA 4115->4116 4116->4111 4119 4046a1 lstrcatA 4116->4119 4117 40474c 4143 406010 lstrcpynA 4117->4143 4119->4111 4120 404753 4122 405a41 4 API calls 4120->4122 4121->4117 4125 4059ef 2 API calls 4121->4125 4127 4047a4 4121->4127 4123 404759 GetDiskFreeSpaceA 4122->4123 4126 40477d MulDiv 4123->4126 4123->4127 4125->4121 4126->4127 4128 404815 4127->4128 4130 4049ac 20 API calls 4127->4130 4129 404838 4128->4129 4131 40140b 2 API calls 4128->4131 4144 4040c0 EnableWindow 4129->4144 4132 404802 4130->4132 4131->4129 4134 404817 SetDlgItemTextA 4132->4134 4135 404807 4132->4135 4134->4128 4137 4048e7 20 API calls 4135->4137 4136 404854 4136->4088 4138 404489 SendMessageA 4136->4138 4137->4128 4138->4088 4139->4084 4140->4110 4141->4094 4142->4112 4143->4120 4144->4136 4145 402631 4146 402b0a 17 API calls 4145->4146 4147 40263b 4146->4147 4148 405c21 ReadFile 4147->4148 4149 4026ab 4147->4149 4150 4026bb 4147->4150 4153 4026a9 4147->4153 4148->4147 4154 405f6e wsprintfA 4149->4154 4152 4026d1 SetFilePointer 4150->4152 4150->4153 4152->4153 4154->4153 4161 4022b2 4162 402b2c 17 API calls 4161->4162 4163 4022b8 4162->4163 4164 402b2c 17 API calls 4163->4164 4165 4022c1 4164->4165 4166 402b2c 17 API calls 4165->4166 4167 4022ca 4166->4167 4168 406313 2 API calls 4167->4168 4169 4022d3 4168->4169 4170 4022e4 lstrlenA lstrlenA 4169->4170 4171 4022d7 4169->4171 4173 405137 24 API calls 4170->4173 4172 405137 24 API calls 4171->4172 4175 4022df 4171->4175 4172->4175 4174 402320 SHFileOperationA 4173->4174 4174->4171 4174->4175 4176 402334 4177 40234e 4176->4177 4178 40233b 4176->4178 4179 406032 17 API calls 4178->4179 4180 402348 4179->4180 4181 40572c MessageBoxIndirectA 4180->4181 4181->4177 4182 4014b7 4183 4014bd 4182->4183 4184 401389 2 API calls 4183->4184 4185 4014c5 4184->4185 4186 402138 4187 402b2c 17 API calls 4186->4187 4188 40213f 4187->4188 4189 402b2c 17 API calls 4188->4189 4190 402149 4189->4190 4191 402b2c 17 API calls 4190->4191 4192 402153 4191->4192 4193 402b2c 17 API calls 4192->4193 4194 40215d 4193->4194 4195 402b2c 17 API calls 4194->4195 4196 402167 4195->4196 4197 4021a9 CoCreateInstance 4196->4197 4198 402b2c 17 API calls 4196->4198 4201 4021c8 4197->4201 4203 402273 4197->4203 4198->4197 4199 401423 24 API calls 4200 4022a9 4199->4200 4202 402253 MultiByteToWideChar 4201->4202 4201->4203 4202->4203 4203->4199 4203->4200 3338 4015bb 3339 402b2c 17 API calls 3338->3339 3340 4015c2 3339->3340 3341 405a41 4 API calls 3340->3341 3342 4015ca 3341->3342 3343 401624 3342->3343 3344 4059d3 CharNextA 3342->3344 3350 40567a 2 API calls 3342->3350 3352 405697 5 API calls 3342->3352 3354 40160c GetFileAttributesA 3342->3354 3355 4015f3 3342->3355 3345 401652 3343->3345 3346 401629 3343->3346 3344->3342 3348 401423 24 API calls 3345->3348 3358 401423 3346->3358 3356 40164a 3348->3356 3350->3342 3352->3342 3353 40163b SetCurrentDirectoryA 3353->3356 3354->3342 3355->3342 3357 4055fd 4 API calls 3355->3357 3357->3355 3359 405137 24 API calls 3358->3359 3360 401431 3359->3360 3361 406010 lstrcpynA 3360->3361 3361->3353 4204 40273b 4205 402741 4204->4205 4206 402745 FindNextFileA 4205->4206 4209 402757 4205->4209 4207 402796 4206->4207 4206->4209 4210 406010 lstrcpynA 4207->4210 4210->4209 4211 4016bb 4212 402b2c 17 API calls 4211->4212 4213 4016c1 GetFullPathNameA 4212->4213 4214 4016d8 4213->4214 4215 4016f9 4213->4215 4214->4215 4218 406313 2 API calls 4214->4218 4216 4029b8 4215->4216 4217 40170d GetShortPathNameA 4215->4217 4217->4216 4219 4016e9 4218->4219 4219->4215 4221 406010 lstrcpynA 4219->4221 4221->4215 4222 40243d 4223 402b2c 17 API calls 4222->4223 4224 40244f 4223->4224 4225 402b2c 17 API calls 4224->4225 4226 402459 4225->4226 4239 402bbc 4226->4239 4229 4029b8 4230 40248e 4232 40249a 4230->4232 4233 402b0a 17 API calls 4230->4233 4231 402b2c 17 API calls 4235 402487 lstrlenA 4231->4235 4234 4024b9 RegSetValueExA 4232->4234 4236 402ffb 31 API calls 4232->4236 4233->4232 4237 4024cf RegCloseKey 4234->4237 4235->4230 4236->4234 4237->4229 4240 402bd7 4239->4240 4243 405ec4 4240->4243 4244 405ed3 4243->4244 4245 402469 4244->4245 4246 405ede RegCreateKeyExA 4244->4246 4245->4229 4245->4230 4245->4231 4246->4245 4247 401b3f 4248 402b2c 17 API calls 4247->4248 4249 401b46 4248->4249 4250 402b0a 17 API calls 4249->4250 4251 401b4f wsprintfA 4250->4251 4252 4029b8 4251->4252

                                                                            Executed Functions

                                                                            Function 0040326B Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 40326b-4032aa SetErrorMode GetVersion 1 4032ac-4032b4 call 4063a8 0->1 2 4032bd 0->2 1->2 7 4032b6 1->7 4 4032c2-4032d5 call 40633a lstrlenA 2->4 9 4032d7-4032f3 call 4063a8 * 3 4->9 7->2 16 403304-403362 #17 OleInitialize SHGetFileInfoA call 406010 GetCommandLineA call 406010 9->16 17 4032f5-4032fb 9->17 24 403364-403369 16->24 25 40336e-403383 call 4059d3 CharNextA 16->25 17->16 21 4032fd 17->21 21->16 24->25 28 403448-40344c 25->28 29 403452 28->29 30 403388-40338b 28->30 33 403465-40347f GetTempPathA call 40323a 29->33 31 403393-40339b 30->31 32 40338d-403391 30->32 34 4033a3-4033a6 31->34 35 40339d-40339e 31->35 32->31 32->32 43 403481-40349f GetWindowsDirectoryA lstrcatA call 40323a 33->43 44 4034d7-4034f1 DeleteFileA call 402dc4 33->44 37 403438-403445 call 4059d3 34->37 38 4033ac-4033b0 34->38 35->34 37->28 53 403447 37->53 41 4033b2-4033b8 38->41 42 4033c8-4033f5 38->42 47 4033ba-4033bc 41->47 48 4033be 41->48 49 4033f7-4033fd 42->49 50 403408-403436 42->50 43->44 58 4034a1-4034d1 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40323a 43->58 59 403585-403595 ExitProcess OleUninitialize 44->59 60 4034f7-4034fd 44->60 47->42 47->48 48->42 55 403403 49->55 56 4033ff-403401 49->56 50->37 52 403454-403460 call 406010 50->52 52->33 53->28 55->50 56->50 56->55 58->44 58->59 65 4036b9-4036bf 59->65 66 40359b-4035ab call 40572c ExitProcess 59->66 63 403575-40357c call 40382d 60->63 64 4034ff-40350a call 4059d3 60->64 75 403581 63->75 81 403540-40354a 64->81 82 40350c-403535 64->82 71 4036c1-4036da GetCurrentProcess OpenProcessToken 65->71 72 40373b-403743 65->72 73 40370c-40371a call 4063a8 71->73 74 4036dc-403706 LookupPrivilegeValueA AdjustTokenPrivileges 71->74 77 403745 72->77 78 403749-40374d ExitProcess 72->78 87 403728-403732 ExitWindowsEx 73->87 88 40371c-403726 73->88 74->73 75->59 77->78 85 4035b1-4035c5 call 405697 lstrcatA 81->85 86 40354c-403559 call 405a96 81->86 84 403537-403539 82->84 84->81 89 40353b-40353e 84->89 95 4035d2-4035ec lstrcatA lstrcmpiA 85->95 96 4035c7-4035cd lstrcatA 85->96 86->59 97 40355b-403571 call 406010 * 2 86->97 87->72 93 403734-403736 call 40140b 87->93 88->87 88->93 89->81 89->84 93->72 95->59 100 4035ee-4035f1 95->100 96->95 97->63 102 4035f3-4035f8 call 4055fd 100->102 103 4035fa call 40567a 100->103 110 4035ff-40360c SetCurrentDirectoryA 102->110 103->110 111 403619-403641 call 406010 110->111 112 40360e-403614 call 406010 110->112 116 403647-403663 call 406032 DeleteFileA 111->116 112->111 119 4036a4-4036ab 116->119 120 403665-403675 CopyFileA 116->120 119->116 122 4036ad-4036b4 call 405def 119->122 120->119 121 403677-403690 call 405def call 406032 call 4056af 120->121 130 403695-403697 121->130 122->59 130->119 131 403699-4036a0 CloseHandle 130->131 131->119
                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE ref: 00403290
                                                                            • GetVersion.KERNEL32 ref: 00403296
                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032C9
                                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403305
                                                                            • OleInitialize.OLE32(00000000), ref: 0040330C
                                                                            • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403328
                                                                            • GetCommandLineA.KERNEL32(Windows Provisioning 2.6.2 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040333D
                                                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\5006_2.6.2.exe",00000020,"C:\Users\user\Desktop\5006_2.6.2.exe",00000000,?,00000006,00000008,0000000A), ref: 00403379
                                                                            • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403476
                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403487
                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403493
                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004034A7
                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004034AF
                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004034C0
                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004034C8
                                                                            • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034DC
                                                                              • Part of subcall function 004063A8: GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                              • Part of subcall function 004063A8: GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                              • Part of subcall function 0040382D: lstrlenA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,?,?,?,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,00000000,C:\Users\user\AppData\Roaming\Windows Provisioning,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410), ref: 0040391D
                                                                              • Part of subcall function 0040382D: lstrcmpiA.KERNEL32(?,.exe), ref: 00403930
                                                                              • Part of subcall function 0040382D: GetFileAttributesA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||), ref: 0040393B
                                                                              • Part of subcall function 0040382D: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Windows Provisioning), ref: 00403984
                                                                              • Part of subcall function 0040382D: RegisterClassA.USER32(0042EBA0), ref: 004039C1
                                                                            • ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 00403585
                                                                              • Part of subcall function 00403753: CloseHandle.KERNEL32(FFFFFFFF,0040358A,?,?,00000006,00000008,0000000A), ref: 0040375E
                                                                            • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040358A
                                                                            • ExitProcess.KERNEL32 ref: 004035AB
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004036C8
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004036CF
                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036E7
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403706
                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 0040372A
                                                                            • ExitProcess.KERNEL32 ref: 0040374D
                                                                              • Part of subcall function 0040572C: MessageBoxIndirectA.USER32(0040A218), ref: 00405787
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                            • String ID: "$"C:\Users\user\Desktop\5006_2.6.2.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Windows Provisioning$C:\Users\user\AppData\Roaming\Windows Provisioning$C:\Users\user\Desktop$C:\Users\user\Desktop\5006_2.6.2.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Windows Provisioning 2.6.2 Setup$\Temp$~nsu
                                                                            • API String ID: 562314493-3042610276
                                                                            • Opcode ID: 05a91e025c9aea1742115f42aadd9019c56ba4b480ae67e611fec9d80049b737
                                                                            • Instruction ID: c488d4947f624a60ea111d8e8e2b3f6be1d3d76fce8bfd42f4ae142e8cae794f
                                                                            • Opcode Fuzzy Hash: 05a91e025c9aea1742115f42aadd9019c56ba4b480ae67e611fec9d80049b737
                                                                            • Instruction Fuzzy Hash: 9EC10570104741AAD7216F759D49B2F3EA8AF4570AF44443FF582B61E2CB7C8A198B2F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406313 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 542 406313-406327 FindFirstFileA 543 406334 542->543 544 406329-406332 FindClose 542->544 545 406336-406337 543->545 544->545
                                                                            APIs
                                                                            • FindFirstFileA.KERNELBASE(75923410,0042C0C0,0042BC78,00405AD9,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 0040631E
                                                                            • FindClose.KERNEL32(00000000), ref: 0040632A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: 1839775ab65f4c7429e333cf5f3a5f1104f42c23ffe018d7624b5080913ebc3e
                                                                            • Instruction ID: f1da5dbc8fb4190b670de1866088b9aea297c62f24eccc1d76d376cb4bf46ee5
                                                                            • Opcode Fuzzy Hash: 1839775ab65f4c7429e333cf5f3a5f1104f42c23ffe018d7624b5080913ebc3e
                                                                            • Instruction Fuzzy Hash: A8D0123250A030ABC350177C7E0C88F7A989F163347218A36F4A6F21E0C7348C2286DC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040382D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 132 40382d-403845 call 4063a8 135 403847-403857 call 405f6e 132->135 136 403859-40388a call 405ef7 132->136 145 4038ad-4038d6 call 403af2 call 405a96 135->145 141 4038a2-4038a8 lstrcatA 136->141 142 40388c-40389d call 405ef7 136->142 141->145 142->141 150 4038dc-4038e1 145->150 151 40395d-403965 call 405a96 145->151 150->151 153 4038e3-403907 call 405ef7 150->153 157 403973-403998 LoadImageA 151->157 158 403967-40396e call 406032 151->158 153->151 159 403909-40390b 153->159 161 403a19-403a21 call 40140b 157->161 162 40399a-4039ca RegisterClassA 157->162 158->157 163 40391c-403928 lstrlenA 159->163 164 40390d-40391a call 4059d3 159->164 175 403a23-403a26 161->175 176 403a2b-403a36 call 403af2 161->176 165 4039d0-403a14 SystemParametersInfoA CreateWindowExA 162->165 166 403ae8 162->166 170 403950-403958 call 4059a8 call 406010 163->170 171 40392a-403938 lstrcmpiA 163->171 164->163 165->161 169 403aea-403af1 166->169 170->151 171->170 174 40393a-403944 GetFileAttributesA 171->174 178 403946-403948 174->178 179 40394a-40394b call 4059ef 174->179 175->169 185 403a3c-403a56 ShowWindow call 40633a 176->185 186 403abf-403ac7 call 405209 176->186 178->170 178->179 179->170 191 403a62-403a74 GetClassInfoA 185->191 192 403a58-403a5d call 40633a 185->192 193 403ae1-403ae3 call 40140b 186->193 194 403ac9-403acf 186->194 197 403a76-403a86 GetClassInfoA RegisterClassA 191->197 198 403a8c-403abd DialogBoxParamA call 40140b call 40377d 191->198 192->191 193->166 194->175 199 403ad5-403adc call 40140b 194->199 197->198 198->169 199->175
                                                                            APIs
                                                                              • Part of subcall function 004063A8: GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                              • Part of subcall function 004063A8: GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                            • lstrcatA.KERNEL32(1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5006_2.6.2.exe",00000000), ref: 004038A8
                                                                            • lstrlenA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,?,?,?,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,00000000,C:\Users\user\AppData\Roaming\Windows Provisioning,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410), ref: 0040391D
                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403930
                                                                            • GetFileAttributesA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||), ref: 0040393B
                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Windows Provisioning), ref: 00403984
                                                                              • Part of subcall function 00405F6E: wsprintfA.USER32 ref: 00405F7B
                                                                            • RegisterClassA.USER32(0042EBA0), ref: 004039C1
                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039D9
                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A0E
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403A44
                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A70
                                                                            • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A7D
                                                                            • RegisterClassA.USER32(0042EBA0), ref: 00403A86
                                                                            • DialogBoxParamA.USER32(?,00000000,00403BCA,00000000), ref: 00403AA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "C:\Users\user\Desktop\5006_2.6.2.exe"$"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Windows Provisioning$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                            • API String ID: 1975747703-4269149020
                                                                            • Opcode ID: 15822f17e376e41266fbf8a251ac5c412d7bb8a3b85e81a9d7c16052a8cecaf4
                                                                            • Instruction ID: 5bdd09b32da2b5bd11ad56600dd1adb443959310d265eb20ccced3f07ac4f103
                                                                            • Opcode Fuzzy Hash: 15822f17e376e41266fbf8a251ac5c412d7bb8a3b85e81a9d7c16052a8cecaf4
                                                                            • Instruction Fuzzy Hash: B461C770340201AED620BB669D45F2B3E6CEB54749F80447FF981B22E2CB7D9D469B2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402DC4 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 206 402dc4-402e12 GetTickCount GetModuleFileNameA call 405ba9 209 402e14-402e19 206->209 210 402e1e-402e4c call 406010 call 4059ef call 406010 GetFileSize 206->210 211 402ff4-402ff8 209->211 218 402e52 210->218 219 402f37-402f45 call 402d60 210->219 221 402e57-402e6e 218->221 225 402f47-402f4a 219->225 226 402f9a-402f9f 219->226 223 402e70 221->223 224 402e72-402e7b call 40320d 221->224 223->224 231 402fa1-402fa9 call 402d60 224->231 232 402e81-402e88 224->232 229 402f4c-402f64 call 403223 call 40320d 225->229 230 402f6e-402f98 GlobalAlloc call 403223 call 402ffb 225->230 226->211 229->226 253 402f66-402f6c 229->253 230->226 257 402fab-402fbc 230->257 231->226 235 402f04-402f08 232->235 236 402e8a-402e9e call 405b64 232->236 243 402f12-402f18 235->243 244 402f0a-402f11 call 402d60 235->244 236->243 255 402ea0-402ea7 236->255 248 402f27-402f2f 243->248 249 402f1a-402f24 call 40645f 243->249 244->243 248->221 256 402f35 248->256 249->248 253->226 253->230 255->243 259 402ea9-402eb0 255->259 256->219 260 402fc4-402fc9 257->260 261 402fbe 257->261 259->243 262 402eb2-402eb9 259->262 263 402fca-402fd0 260->263 261->260 262->243 264 402ebb-402ec2 262->264 263->263 265 402fd2-402fed SetFilePointer call 405b64 263->265 264->243 267 402ec4-402ee4 264->267 268 402ff2 265->268 267->226 269 402eea-402eee 267->269 268->211 270 402ef0-402ef4 269->270 271 402ef6-402efe 269->271 270->256 270->271 271->243 272 402f00-402f02 271->272 272->243
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00402DD5
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\5006_2.6.2.exe,00000400), ref: 00402DF1
                                                                              • Part of subcall function 00405BA9: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 00405BAD
                                                                              • Part of subcall function 00405BA9: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5006_2.6.2.exe,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 00402E3D
                                                                            • GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                            • String ID: TA$"C:\Users\user\Desktop\5006_2.6.2.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\5006_2.6.2.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                            • API String ID: 2803837635-2480270032
                                                                            • Opcode ID: a6173edc5218a8736919d7ec244e80ad4ff8d0a671bf7eda1f584d4bdf14a1ba
                                                                            • Instruction ID: 027006cf2d98db9fa9c400e5027e86f3261d974ae097fd254c994c4dc937b6e6
                                                                            • Opcode Fuzzy Hash: a6173edc5218a8736919d7ec244e80ad4ff8d0a671bf7eda1f584d4bdf14a1ba
                                                                            • Instruction Fuzzy Hash: FF51E471900215ABCB20AF64DE89B9F7BB8EB14359F50403BF500B32D1C6BC9E459AAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406032 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 273 406032-40603d 274 406050-406066 273->274 275 40603f-40604e 273->275 276 406257-40625b 274->276 277 40606c-406077 274->277 275->274 279 406261-40626b 276->279 280 406089-406093 276->280 277->276 278 40607d-406084 277->278 278->276 282 406276-406277 279->282 283 40626d-406271 call 406010 279->283 280->279 281 406099-4060a0 280->281 284 4060a6-4060da 281->284 285 40624a 281->285 283->282 287 4060e0-4060ea 284->287 288 4061f7-4061fa 284->288 289 406254-406256 285->289 290 40624c-406252 285->290 291 406104 287->291 292 4060ec-4060f0 287->292 293 40622a-40622d 288->293 294 4061fc-4061ff 288->294 289->276 290->276 300 40610b-406112 291->300 292->291 297 4060f2-4060f6 292->297 295 40623b-406248 lstrlenA 293->295 296 40622f-406236 call 406032 293->296 298 406201-40620d call 405f6e 294->298 299 40620f-40621b call 406010 294->299 295->276 296->295 297->291 302 4060f8-4060fc 297->302 309 406220-406226 298->309 299->309 304 406114-406116 300->304 305 406117-406119 300->305 302->291 310 4060fe-406102 302->310 304->305 307 406152-406155 305->307 308 40611b-40613e call 405ef7 305->308 314 406165-406168 307->314 315 406157-406163 GetSystemDirectoryA 307->315 321 406144-40614d call 406032 308->321 322 4061de-4061e2 308->322 309->295 313 406228 309->313 310->300 317 4061ef-4061f5 call 40627a 313->317 319 4061d5-4061d7 314->319 320 40616a-406178 GetWindowsDirectoryA 314->320 318 4061d9-4061dc 315->318 317->295 318->317 318->322 319->318 323 40617a-406184 319->323 320->319 321->318 322->317 326 4061e4-4061ea lstrcatA 322->326 328 406186-406189 323->328 329 40619e-4061b4 SHGetSpecialFolderLocation 323->329 326->317 328->329 333 40618b-406192 328->333 330 4061d2 329->330 331 4061b6-4061d0 SHGetPathFromIDListA CoTaskMemFree 329->331 330->319 331->318 331->330 334 40619a-40619c 333->334 334->318 334->329
                                                                            APIs
                                                                            • GetSystemDirectoryA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,00000400), ref: 0040615D
                                                                            • GetWindowsDirectoryA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,00000400,?,0042A050,00000000,0040516F,0042A050,00000000), ref: 00406170
                                                                            • SHGetSpecialFolderLocation.SHELL32(0040516F,759223A0,?,0042A050,00000000,0040516F,0042A050,00000000), ref: 004061AC
                                                                            • SHGetPathFromIDListA.SHELL32(759223A0,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||), ref: 004061BA
                                                                            • CoTaskMemFree.OLE32(759223A0), ref: 004061C6
                                                                            • lstrcatA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,\Microsoft\Internet Explorer\Quick Launch), ref: 004061EA
                                                                            • lstrlenA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,?,0042A050,00000000,0040516F,0042A050,00000000,00000000,00427388,759223A0), ref: 0040623C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                            • String ID: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                            • API String ID: 717251189-1349478114
                                                                            • Opcode ID: b5f21783dff86301b55f28ea11f9c7815398c55a2ca1ca21ed943f87329636d9
                                                                            • Instruction ID: 0eb145c1bee873094c14c85ea59bbbcbcc52f889deb60e0de917f7e6e63be494
                                                                            • Opcode Fuzzy Hash: b5f21783dff86301b55f28ea11f9c7815398c55a2ca1ca21ed943f87329636d9
                                                                            • Instruction Fuzzy Hash: F1610171900114AEDF24AF64CC84BBE3BA5AB15314F52417FE913BA2D2C77C49A2CB5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 335 401759-40177c call 402b2c call 405a15 340 401786-401798 call 406010 call 4059a8 lstrcatA 335->340 341 40177e-401784 call 406010 335->341 346 40179d-4017a3 call 40627a 340->346 341->346 351 4017a8-4017ac 346->351 352 4017ae-4017b8 call 406313 351->352 353 4017df-4017e2 351->353 360 4017ca-4017dc 352->360 361 4017ba-4017c8 CompareFileTime 352->361 355 4017e4-4017e5 call 405b84 353->355 356 4017ea-401806 call 405ba9 353->356 355->356 363 401808-40180b 356->363 364 40187e-4018a7 call 405137 call 402ffb 356->364 360->353 361->360 365 401860-40186a call 405137 363->365 366 40180d-40184f call 406010 * 2 call 406032 call 406010 call 40572c 363->366 378 4018a9-4018ad 364->378 379 4018af-4018bb SetFileTime 364->379 376 401873-401879 365->376 366->351 399 401855-401856 366->399 380 4029c1 376->380 378->379 382 4018c1-4018cc FindCloseChangeNotification 378->382 379->382 386 4029c3-4029c7 380->386 384 4018d2-4018d5 382->384 385 4029b8-4029bb 382->385 388 4018d7-4018e8 call 406032 lstrcatA 384->388 389 4018ea-4018ed call 406032 384->389 385->380 393 4018f2-402353 call 40572c 388->393 389->393 393->385 393->386 399->376 401 401858-401859 399->401 401->365
                                                                            APIs
                                                                            • lstrcatA.KERNEL32(00000000,00000000,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,C:\Users\user\AppData\Roaming\Windows Provisioning,00000000,00000000,00000031), ref: 00401798
                                                                            • CompareFileTime.KERNEL32(-00000014,?,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,00000000,00000000,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,C:\Users\user\AppData\Roaming\Windows Provisioning,00000000,00000000,00000031), ref: 004017C2
                                                                              • Part of subcall function 00406010: lstrcpynA.KERNEL32(?,?,00000400,0040333D,Windows Provisioning 2.6.2 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040601D
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(00403156,0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                              • Part of subcall function 00405137: lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,00427388,759223A0), ref: 00405193
                                                                              • Part of subcall function 00405137: SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                            • String ID: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||$C:\Users\user\AppData\Roaming\Windows Provisioning$C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 1941528284-521884884
                                                                            • Opcode ID: d2d4c9be4c77887772f7a063183bc6da9d3610935c72e1bf3270bbb4a4cc9717
                                                                            • Instruction ID: fcac4804817dd72ce497849c2c59a0292666c96c0e268c836f952ab8254f0f2b
                                                                            • Opcode Fuzzy Hash: d2d4c9be4c77887772f7a063183bc6da9d3610935c72e1bf3270bbb4a4cc9717
                                                                            • Instruction Fuzzy Hash: 5941E571900114BACF10BBB5CD45E9F3A79EF45369F20823BF412F20E2DA7C8A519A6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040633A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 402 40633a-40635a GetSystemDirectoryA 403 40635c 402->403 404 40635e-406360 402->404 403->404 405 406370-406372 404->405 406 406362-40636a 404->406 408 406373-4063a5 wsprintfA LoadLibraryExA 405->408 406->405 407 40636c-40636e 406->407 407->408
                                                                            APIs
                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406351
                                                                            • wsprintfA.USER32 ref: 0040638A
                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040639E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                            • API String ID: 2200240437-4240819195
                                                                            • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                            • Instruction ID: 4d0fdf3fe302aa3e605d302367287b0bc06203fc89102858e08200231af957cf
                                                                            • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                            • Instruction Fuzzy Hash: 9EF0F670510609ABEB24AB74DD0DFEB366CAB08305F14057AAA86E11D1EA78D9358BDC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 409 402ffb-40300f 410 403011 409->410 411 403018-403021 409->411 410->411 412 403023 411->412 413 40302a-40302f 411->413 412->413 414 403031-40303a call 403223 413->414 415 40303f-40304c call 40320d 413->415 414->415 419 403052-403056 415->419 420 4031fb 415->420 421 4031a6-4031a8 419->421 422 40305c-4030a5 GetTickCount 419->422 423 4031fd-4031fe 420->423 424 4031e8-4031eb 421->424 425 4031aa-4031ad 421->425 426 403203 422->426 427 4030ab-4030b3 422->427 428 403206-40320a 423->428 429 4031f0-4031f9 call 40320d 424->429 430 4031ed 424->430 425->426 431 4031af 425->431 426->428 432 4030b5 427->432 433 4030b8-4030c6 call 40320d 427->433 429->420 442 403200 429->442 430->429 436 4031b2-4031b8 431->436 432->433 433->420 441 4030cc-4030d5 433->441 439 4031ba 436->439 440 4031bc-4031ca call 40320d 436->440 439->440 440->420 446 4031cc-4031d1 call 405c50 440->446 445 4030db-4030fb call 4064cd 441->445 442->426 451 403101-403114 GetTickCount 445->451 452 40319e-4031a0 445->452 450 4031d6-4031d8 446->450 453 4031a2-4031a4 450->453 454 4031da-4031e4 450->454 455 403116-40311e 451->455 456 403159-40315b 451->456 452->423 453->423 454->436 457 4031e6 454->457 458 403120-403124 455->458 459 403126-403156 MulDiv wsprintfA call 405137 455->459 460 403192-403196 456->460 461 40315d-403161 456->461 457->426 458->456 458->459 459->456 460->427 462 40319c 460->462 464 403163-40316a call 405c50 461->464 465 403178-403183 461->465 462->426 469 40316f-403171 464->469 466 403186-40318a 465->466 466->445 470 403190 466->470 469->453 471 403173-403176 469->471 470->426 471->466
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CountTick$wsprintf
                                                                            • String ID: ... %d%%
                                                                            • API String ID: 551687249-2449383134
                                                                            • Opcode ID: fadbfff98126c3f33fc218ff52c7570f2bc54738a50a490896210387b9f65f46
                                                                            • Instruction ID: 2f86f0e091d903dd4c8dc1f0d7d1d97a23866136c8ad304ef4da6da149bc5d25
                                                                            • Opcode Fuzzy Hash: fadbfff98126c3f33fc218ff52c7570f2bc54738a50a490896210387b9f65f46
                                                                            • Instruction Fuzzy Hash: D2518D71801219EBDB10DF65DA44A9E7FB8EF08316F10817BE810B72E1C7789B44CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405BD8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 472 405bd8-405be2 473 405be3-405c0e GetTickCount GetTempFileNameA 472->473 474 405c10-405c12 473->474 475 405c1d-405c1f 473->475 474->473 476 405c14 474->476 477 405c17-405c1a 475->477 476->477
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00405BEC
                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C06
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\5006_2.6.2.exe", xrefs: 00405BD8
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BDB
                                                                            • nsa, xrefs: 00405BE3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: "C:\Users\user\Desktop\5006_2.6.2.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                            • API String ID: 1716503409-574165253
                                                                            • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                            • Instruction ID: 7981c9ddf24778652055132877b92488972f9a5eb9cf132aa873dca7e4a118a1
                                                                            • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                            • Instruction Fuzzy Hash: 0FF082363183046BEB109F56DD04B9B7BA9DFD2750F14803BFA489B290D6B4A9548B58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 478 4015bb-4015ce call 402b2c call 405a41 483 4015d0-4015e3 call 4059d3 478->483 484 401624-401627 478->484 491 4015e5-4015e8 483->491 492 4015fb-4015fc call 40567a 483->492 486 401652-4022a9 call 401423 484->486 487 401629-401644 call 401423 call 406010 SetCurrentDirectoryA 484->487 501 402783-40278a 486->501 502 4029b8-4029c7 486->502 487->502 507 40164a-40164d 487->507 491->492 496 4015ea-4015f1 call 405697 491->496 499 401601-401603 492->499 496->492 511 4015f3-4015f9 call 4055fd 496->511 504 401605-40160a 499->504 505 40161a-401622 499->505 501->502 509 401617 504->509 510 40160c-401615 GetFileAttributesA 504->510 505->483 505->484 507->502 509->505 510->505 510->509 511->499
                                                                            APIs
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(?,?,0042BC78,?,00405AAD,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A4F
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A54
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A68
                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                              • Part of subcall function 004055FD: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405640
                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Windows Provisioning,00000000,00000000,000000F0), ref: 0040163C
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 00401631
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                            • String ID: C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 1892508949-2535408887
                                                                            • Opcode ID: a516b4748d05a08e440426ddae0d387c05c7f5690fa4427b99a5bf14fe3e0d49
                                                                            • Instruction ID: 1afb8a6b6fc663fc0b529d5452f3d1f5a7876e1f873962654dbae4e79628cbca
                                                                            • Opcode Fuzzy Hash: a516b4748d05a08e440426ddae0d387c05c7f5690fa4427b99a5bf14fe3e0d49
                                                                            • Instruction Fuzzy Hash: 08112731508141EBCB217FB54D41A7F36B4AE96324F68093FE4D1B22E2D63D4842AA2F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 515 4056af-4056e0 CreateProcessA 516 4056e2-4056eb CloseHandle 515->516 517 4056ee-4056ef 515->517 516->517
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 004056D8
                                                                            • CloseHandle.KERNEL32(?), ref: 004056E5
                                                                            Strings
                                                                            • Error launching installer, xrefs: 004056C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: Error launching installer
                                                                            • API String ID: 3712363035-66219284
                                                                            • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                            • Instruction ID: d682804100e664e073205113f6b11307167482a28e2818ee20dd6d85df95f7a7
                                                                            • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                            • Instruction Fuzzy Hash: CFE046F0640209BFEB109FA0EE49F7F7AADEB00704F404521BD00F2190EA7498088A7C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 518 401389-40138e 519 4013fa-4013fc 518->519 520 401390-4013a0 519->520 521 4013fe 519->521 520->521 523 4013a2-4013a3 call 401434 520->523 522 401400-401401 521->522 525 4013a8-4013ad 523->525 526 401404-401409 525->526 527 4013af-4013b7 call 40136d 525->527 526->522 530 4013b9-4013bb 527->530 531 4013bd-4013c2 527->531 532 4013c4-4013c9 530->532 531->532 532->519 533 4013cb-4013f4 MulDiv SendMessageA 532->533 533->519
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 3ffebd5fca59fb87aab51f7597ede924ce92eaed1a0ec0a619fe9c5b1ad01a7d
                                                                            • Instruction ID: 5ed4d9c38c73c282456bb639181f16eab54b9a7fb1a82fe129ff52a3f74c88ba
                                                                            • Opcode Fuzzy Hash: 3ffebd5fca59fb87aab51f7597ede924ce92eaed1a0ec0a619fe9c5b1ad01a7d
                                                                            • Instruction Fuzzy Hash: B101F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004063A8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 534 4063a8-4063c2 GetModuleHandleA 535 4063c4-4063c5 call 40633a 534->535 536 4063ce-4063db GetProcAddress 534->536 539 4063ca-4063cc 535->539 537 4063df-4063e1 536->537 539->536 540 4063dd 539->540 540->537
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                              • Part of subcall function 0040633A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406351
                                                                              • Part of subcall function 0040633A: wsprintfA.USER32 ref: 0040638A
                                                                              • Part of subcall function 0040633A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040639E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2547128583-0
                                                                            • Opcode ID: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
                                                                            • Instruction ID: 650a49b09a3c495eabc0f371936d9c907298e200c4f2363c251d84495e191d7a
                                                                            • Opcode Fuzzy Hash: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
                                                                            • Instruction Fuzzy Hash: B4E08C32604220ABD2106A74AE0493B72A89E94710302083EF947F2240DB389C3697AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405BA9 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 541 405ba9-405bd5 GetFileAttributesA CreateFileA
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 00405BAD
                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                            • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                                                            • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                            • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B84 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 546 405b84-405b94 GetFileAttributesA 547 405ba3-405ba6 546->547 548 405b96-405b9d SetFileAttributesA 546->548 548->547
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,?,0040579C,?,?,00000000,0040597F,?,?,?,?), ref: 00405B89
                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B9D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
                                                                            • Instruction ID: 89bb1c08115ccb47c9876ad1094a3663263f91dea81084495bed50ebcc9a35d2
                                                                            • Opcode Fuzzy Hash: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
                                                                            • Instruction Fuzzy Hash: B7D0C972504421ABD2102728AE0889BBBA5DB542717028A36F9A5A22B1DB304C569A99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040567A Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,0040325E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 00405680
                                                                            • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040568E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                            • Instruction ID: cb450b3a329ff4c2b820c3640ee2c86a22e1ba63869c3c930ac7c2b00640337e
                                                                            • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                            • Instruction Fuzzy Hash: B3C04C302145029EDA515B319E08B1B7A59AB90781F528839654AE81B0DE768455DD2E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C50 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031D6,00000000,0041D428,000000FF,0041D428,000000FF,000000FF,00000004,00000000), ref: 00405C64
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                            • Instruction ID: df976955bb7b77361248817f919be03bb6bd2f6f3b4dc1c0c3d16748aaf5f5c5
                                                                            • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                            • Instruction Fuzzy Hash: 65E0EC3221476EABEF509F559D04EEB7B6CEB06360F004436FE25E2550D631E9219BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C21 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403220,00000000,00000000,0040304A,000000FF,00000004,00000000,00000000,00000000), ref: 00405C35
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                            • Instruction ID: 6d14d449f293f6f00ca5a49b865ea561f53b7d8d8b79739f6419f9b8fb6d3ad5
                                                                            • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                            • Instruction Fuzzy Hash: 9EE0EC3221476AABEF109E559C00EEB7B6CEB05361F008836F915E3150D631E8219FA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 7c7e4bdf60eaee922853463450b3a098a6950b3c426d1b45f9d85291b8358fec
                                                                            • Instruction ID: 4f8ec7b4fa93eeb61d23c1d92a418e90caec6e25b57ca3d9eeae261b5adaa5a1
                                                                            • Opcode Fuzzy Hash: 7c7e4bdf60eaee922853463450b3a098a6950b3c426d1b45f9d85291b8358fec
                                                                            • Instruction Fuzzy Hash: 0FD012727042009BCB11EFA8AB08A5E7775EB54324F600537D101F21D1D2B885459759
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403223 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 00403231
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
                                                                            • Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
                                                                            • Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
                                                                            • Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403753 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(FFFFFFFF,0040358A,?,?,00000006,00000008,0000000A), ref: 0040375E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 4bfc4a86c4512e3107b8fb86be471d5238cf24995b86bfa467bc0e008276a2a3
                                                                            • Instruction ID: fc3c4bd29221364ca44687d693abbcbbd121fb750d4ff3e3919dc32638d5829b
                                                                            • Opcode Fuzzy Hash: 4bfc4a86c4512e3107b8fb86be471d5238cf24995b86bfa467bc0e008276a2a3
                                                                            • Instruction Fuzzy Hash: F6C012B0540700B6C5647F799E8F9053A545B41736F608726B0B8F20F1C73C4659556F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00405275 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 004052D4
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004052E3
                                                                            • GetClientRect.USER32(?,?), ref: 00405320
                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405327
                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405348
                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405359
                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040536C
                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040537A
                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040538D
                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004053AF
                                                                            • ShowWindow.USER32(?,00000008), ref: 004053C3
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004053E4
                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053F4
                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040540D
                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405419
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 004052F2
                                                                              • Part of subcall function 004040D3: SendMessageA.USER32(00000028,?,00000001,00403F03), ref: 004040E1
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405435
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005209,00000000), ref: 00405443
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040544A
                                                                            • ShowWindow.USER32(00000000), ref: 0040546D
                                                                            • ShowWindow.USER32(?,00000008), ref: 00405474
                                                                            • ShowWindow.USER32(00000008), ref: 004054BA
                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054EE
                                                                            • CreatePopupMenu.USER32 ref: 004054FF
                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405514
                                                                            • GetWindowRect.USER32(?,000000FF), ref: 00405534
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040554D
                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405589
                                                                            • OpenClipboard.USER32(00000000), ref: 00405599
                                                                            • EmptyClipboard.USER32 ref: 0040559F
                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 004055A8
                                                                            • GlobalLock.KERNEL32(00000000), ref: 004055B2
                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055C6
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004055DF
                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 004055EA
                                                                            • CloseClipboard.USER32 ref: 004055F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                            • String ID:
                                                                            • API String ID: 590372296-0
                                                                            • Opcode ID: 850865324eda7255bc617561a744910c99d6829a0b955d2a94bbb97841d7110d
                                                                            • Instruction ID: 66d789517199d7de7cfadb6731c275bc9a2b232ae8febcf914e4846c803f5e83
                                                                            • Opcode Fuzzy Hash: 850865324eda7255bc617561a744910c99d6829a0b955d2a94bbb97841d7110d
                                                                            • Instruction Fuzzy Hash: A3A147B0900608BFDB119F61DE89AAF7F79FB08354F40403AFA41BA1A0C7755E519F68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404530 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040457F
                                                                            • SetWindowTextA.USER32(00000000,?), ref: 004045A9
                                                                            • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 0040465A
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404665
                                                                            • lstrcmpiA.KERNEL32("antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,0042A870), ref: 00404697
                                                                            • lstrcatA.KERNEL32(?,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||), ref: 004046A3
                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004046B5
                                                                              • Part of subcall function 00405710: GetDlgItemTextA.USER32(?,?,00000400,004046EC), ref: 00405723
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\5006_2.6.2.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062D2
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062DF
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,"C:\Users\user\Desktop\5006_2.6.2.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062E4
                                                                              • Part of subcall function 0040627A: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062F4
                                                                            • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 00404773
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040478E
                                                                              • Part of subcall function 004048E7: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404802,000000DF,00000000,00000400,?), ref: 00404985
                                                                              • Part of subcall function 004048E7: wsprintfA.USER32 ref: 0040498D
                                                                              • Part of subcall function 004048E7: SetDlgItemTextA.USER32(?,0042A870), ref: 004049A0
                                                                            Strings
                                                                            • "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||, xrefs: 00404691, 00404696, 004046A1
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 00404680
                                                                            • A, xrefs: 00404653
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||$A$C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 2624150263-350062850
                                                                            • Opcode ID: f8c5b323b79a30612e5f20638997160abd30a80c2805ffb51c5d0b55a3138d2a
                                                                            • Instruction ID: 05eea3de79cf24fe9bb33e9012793c4f482d3b98f46f23a5f19240ee3c7d349e
                                                                            • Opcode Fuzzy Hash: f8c5b323b79a30612e5f20638997160abd30a80c2805ffb51c5d0b55a3138d2a
                                                                            • Instruction Fuzzy Hash: 78A160B1900218ABDB11AFA6CD45AAF77B8AF85314F14843BF601B62D1D77C8A418B6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004057D8 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405801
                                                                            • lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405849
                                                                            • lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
                                                                            • lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405870
                                                                            • FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405881
                                                                            • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040592E
                                                                            • FindClose.KERNEL32(00000000), ref: 0040593F
                                                                            Strings
                                                                            • \*.*, xrefs: 00405843
                                                                            • "C:\Users\user\Desktop\5006_2.6.2.exe", xrefs: 004057D8
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057E5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: "C:\Users\user\Desktop\5006_2.6.2.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                            • API String ID: 2035342205-929013018
                                                                            • Opcode ID: 1028c0a1378fe67f5cfd0213f93084011618ac7fb180f8f6d485c044da562b3f
                                                                            • Instruction ID: b1b2ef924c21ee39ce724be99c412cdb4e11523259fae964be374fa5306f8f12
                                                                            • Opcode Fuzzy Hash: 1028c0a1378fe67f5cfd0213f93084011618ac7fb180f8f6d485c044da562b3f
                                                                            • Instruction Fuzzy Hash: 9A51A171800A04EADB216B618C45BBF7AB8DF42728F14807BF845B51D1C73C4982DE6A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 004021FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                            • String ID: C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 123533781-2535408887
                                                                            • Opcode ID: 60642f32df86b4976e115d0feba91d7607e51b39a6776a6b0e1cbc617f6027f1
                                                                            • Instruction ID: 754b6e0833e3014b2c682637ef6945f2e05814b0a8fe180c789646af90cdafbf
                                                                            • Opcode Fuzzy Hash: 60642f32df86b4976e115d0feba91d7607e51b39a6776a6b0e1cbc617f6027f1
                                                                            • Instruction Fuzzy Hash: DD510771A00209AFCB04DFE4C988A9D7BB5EF48314F2045BAF515EB2D1DB799941CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: 2e6c685056bc8af82a5edd524c4e61cab1dcb69a9ac82fb004b4bd38b3b6fa23
                                                                            • Instruction ID: 5c82bf4159fd1739121f93a17669663fbe331ae18c29918af2b78fc5806f8225
                                                                            • Opcode Fuzzy Hash: 2e6c685056bc8af82a5edd524c4e61cab1dcb69a9ac82fb004b4bd38b3b6fa23
                                                                            • Instruction Fuzzy Hash: 39F0EC725441009BD301EB749A49AFEB77CEF15324F60017BE141F21C1D6F84945D77A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004067ED Relevance: .3, Instructions: 334COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
                                                                            • Instruction ID: dc39b55080118b2a9f2c57fc2b953182458e36931565741e2945480d6a34e330
                                                                            • Opcode Fuzzy Hash: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
                                                                            • Instruction Fuzzy Hash: D2E19A7190070ADFDB24CF58D890BAAB7F1EB44305F15842EE897A76C1D738AA95CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406FC4 Relevance: .3, Instructions: 300COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                                            • Instruction ID: 2f0950e66cb79552dca6b2fc49cb98149526550dbc918883d7c1b9af38c738a1
                                                                            • Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                                            • Instruction Fuzzy Hash: 42C13831E042598BCF18CF68D4905EEB7B2BF99314F25827ED8567B380D734A942CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404AA3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404ABA
                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404AC7
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B16
                                                                            • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B2D
                                                                            • SetWindowLongA.USER32(?,000000FC,004050AB), ref: 00404B47
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B59
                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B6D
                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 00404B83
                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B8F
                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B9F
                                                                            • DeleteObject.GDI32(00000110), ref: 00404BA4
                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BCF
                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BDB
                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C75
                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404CA5
                                                                              • Part of subcall function 004040D3: SendMessageA.USER32(00000028,?,00000001,00403F03), ref: 004040E1
                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CB9
                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00404CE7
                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CF5
                                                                            • ShowWindow.USER32(?,00000005), ref: 00404D05
                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E00
                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E65
                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E7A
                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E9E
                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404EBE
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404ED3
                                                                            • GlobalFree.KERNEL32(?), ref: 00404EE3
                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F5C
                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00405005
                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405014
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405034
                                                                            • ShowWindow.USER32(?,00000000), ref: 00405082
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 0040508D
                                                                            • ShowWindow.USER32(00000000), ref: 00405094
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $M$N
                                                                            • API String ID: 2564846305-813528018
                                                                            • Opcode ID: 7979eb89c2ba789210c478efbd40ca5770d0cf58fb7a2a7deeb4f629e08dd5c3
                                                                            • Instruction ID: b93138f0eedc2449d1e9bfda9be5258a8e47cdb0f0c7c2118b7039f3366b9e37
                                                                            • Opcode Fuzzy Hash: 7979eb89c2ba789210c478efbd40ca5770d0cf58fb7a2a7deeb4f629e08dd5c3
                                                                            • Instruction Fuzzy Hash: AA026EB0900209AFEB20DFA5DD45AAE7BB5FB44314F14813AF614B62E0C7799D52CF58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403BCA Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C06
                                                                            • ShowWindow.USER32(?), ref: 00403C23
                                                                            • DestroyWindow.USER32 ref: 00403C37
                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C53
                                                                            • GetDlgItem.USER32(?,?), ref: 00403C74
                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C88
                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403C8F
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403D3D
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403D47
                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403D61
                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403DB2
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403E58
                                                                            • ShowWindow.USER32(00000000,?), ref: 00403E79
                                                                            • EnableWindow.USER32(?,?), ref: 00403E8B
                                                                            • EnableWindow.USER32(?,?), ref: 00403EA6
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EBC
                                                                            • EnableMenuItem.USER32(00000000), ref: 00403EC3
                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EDB
                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403EEE
                                                                            • lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403F18
                                                                            • SetWindowTextA.USER32(?,0042A870), ref: 00403F27
                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040405B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                            • String ID:
                                                                            • API String ID: 184305955-0
                                                                            • Opcode ID: 5ffd1eee2a53c0bce8439eebe02f74cc0bfe9fdaa9e9cbb129ddddf772baf92f
                                                                            • Instruction ID: 8391a727dd330e9af47019fb45b898bbd0b6ec160f5193fdc8e4d7e88c7c5567
                                                                            • Opcode Fuzzy Hash: 5ffd1eee2a53c0bce8439eebe02f74cc0bfe9fdaa9e9cbb129ddddf772baf92f
                                                                            • Instruction Fuzzy Hash: 39C1B171600704AFDB20AF62EE45E2B3AA9FB95706F40043EF642B51E1CB799852DB1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404209 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404294
                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 004042A8
                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042C6
                                                                            • GetSysColor.USER32(?), ref: 004042D7
                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042E6
                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042F5
                                                                            • lstrlenA.KERNEL32(?), ref: 004042F8
                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404307
                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040431C
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040437E
                                                                            • SendMessageA.USER32(00000000), ref: 00404381
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004043AC
                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043EC
                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 004043FB
                                                                            • SetCursor.USER32(00000000), ref: 00404404
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 0040441A
                                                                            • SetCursor.USER32(00000000), ref: 0040441D
                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404449
                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040445D
                                                                            Strings
                                                                            • "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||, xrefs: 004043D7
                                                                            • N, xrefs: 0040439A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                            • String ID: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||$N
                                                                            • API String ID: 3103080414-1866840078
                                                                            • Opcode ID: 448c26d367fa4ce24fea73f86f3c1ebcb169a2680b3cc918c82a0762cc84cb42
                                                                            • Instruction ID: e1855738532d9be41fcebd9a9c4146cd0e241e622fdf0fb061f71f1fb699f553
                                                                            • Opcode Fuzzy Hash: 448c26d367fa4ce24fea73f86f3c1ebcb169a2680b3cc918c82a0762cc84cb42
                                                                            • Instruction Fuzzy Hash: 2661A4B1A40208BFDB109F61DD45F6A7B69FB84314F00803AFB057A1D1C7B8A952CF98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                            • DrawTextA.USER32(00000000,Windows Provisioning 2.6.2 Setup,000000FF,00000010,00000820), ref: 00401156
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F$Windows Provisioning 2.6.2 Setup
                                                                            • API String ID: 941294808-487385042
                                                                            • Opcode ID: 7b2e9886d4a0a86190cfd2eb73994447d751dd60ad8b28ccd238e082d53d4ecc
                                                                            • Instruction ID: a83fe4be3842045fa55e49ef5e4516223b86fcdf0b70f1128ddfc4a40beffe79
                                                                            • Opcode Fuzzy Hash: 7b2e9886d4a0a86190cfd2eb73994447d751dd60ad8b28ccd238e082d53d4ecc
                                                                            • Instruction Fuzzy Hash: 48418C71400209AFCB058FA5DE459BF7BB9FF45314F00842EF9A1AA1A0C7749955DFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C7F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E10,?,?), ref: 00405CB0
                                                                            • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405CB9
                                                                              • Part of subcall function 00405B0E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1E
                                                                              • Part of subcall function 00405B0E: lstrlenA.KERNEL32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B50
                                                                            • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405CD6
                                                                            • wsprintfA.USER32 ref: 00405CF4
                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405D2F
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D3E
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D76
                                                                            • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DCC
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405DDD
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DE4
                                                                              • Part of subcall function 00405BA9: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 00405BAD
                                                                              • Part of subcall function 00405BA9: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                            • String ID: %s=%s$[Rename]
                                                                            • API String ID: 2171350718-1727408572
                                                                            • Opcode ID: f77fbfde1968c6cc6d109ac9641d83ed14e9d60a65f6ef3fc352fd67b9dcf635
                                                                            • Instruction ID: 5f10e72b046bb4c3808544f3b96a1b07f09bbbda3d3e46611c613b54f85f09c3
                                                                            • Opcode Fuzzy Hash: f77fbfde1968c6cc6d109ac9641d83ed14e9d60a65f6ef3fc352fd67b9dcf635
                                                                            • Instruction Fuzzy Hash: F631F231600B15ABD2207BA59D4DFAB3A6CDF42754F14443BFA01F62D2DA7CE8058ABD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040627A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\5006_2.6.2.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062D2
                                                                            • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062DF
                                                                            • CharNextA.USER32(?,"C:\Users\user\Desktop\5006_2.6.2.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062E4
                                                                            • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062F4
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\5006_2.6.2.exe", xrefs: 004062B6
                                                                            • *?|<>/":, xrefs: 004062C2
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040627B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: "C:\Users\user\Desktop\5006_2.6.2.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 589700163-3875146732
                                                                            • Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
                                                                            • Instruction ID: 6247d5b4c7038ff51e561e9c2f84ae45375c8bcee8d01d3c6d5c321a6abb2e6d
                                                                            • Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
                                                                            • Instruction Fuzzy Hash: 2211E95180479029EB3226246C40BBB7F884F97751F1A00BFE8C2722C1C67C5C52867D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404105 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00404122
                                                                            • GetSysColor.USER32(00000000), ref: 00404160
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040416C
                                                                            • SetBkMode.GDI32(?,?), ref: 00404178
                                                                            • GetSysColor.USER32(?), ref: 0040418B
                                                                            • SetBkColor.GDI32(?,?), ref: 0040419B
                                                                            • DeleteObject.GDI32(?), ref: 004041B5
                                                                            • CreateBrushIndirect.GDI32(?), ref: 004041BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
                                                                            • Instruction ID: 549509973aaa983cd2a57f184cdff44cbcc336d3318ba047a0b32752f088f93e
                                                                            • Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
                                                                            • Instruction Fuzzy Hash: 7D2162715007049BCB219F68DD4CB5BBBF8AF91714B048A3EEA96A66E0C734E984CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405137 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                            • lstrlenA.KERNEL32(00403156,0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                            • lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,00427388,759223A0), ref: 00405193
                                                                            • SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2531174081-0
                                                                            • Opcode ID: 2f522a59394b9be444cbcacf3a1b4d18be92345b96de9eacb0d1f76aaf85f54b
                                                                            • Instruction ID: 7d4789c60296e211bada9a9e2a19d16c38d622f2d1b0cadef69f4b7d7b7d07eb
                                                                            • Opcode Fuzzy Hash: 2f522a59394b9be444cbcacf3a1b4d18be92345b96de9eacb0d1f76aaf85f54b
                                                                            • Instruction Fuzzy Hash: CE21A971900118BFDB119FA5CD85ADEBFA9EF08354F04807AF844A6291C7398E408FA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004049F1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404A0C
                                                                            • GetMessagePos.USER32 ref: 00404A14
                                                                            • ScreenToClient.USER32(?,?), ref: 00404A2E
                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A40
                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A66
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
                                                                            • Instruction ID: dd2724b276b0829887a11dc4f26b79c7971af77995a7330ace4ae867cc8e4813
                                                                            • Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
                                                                            • Instruction Fuzzy Hash: 4B018071940218BADB00DB94DD81BFEBBB8AF95711F10412BBA11B61C0C7B455018FA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
                                                                            • MulDiv.KERNEL32(010567A6,00000064,010567AA), ref: 00402D23
                                                                            • wsprintfA.USER32 ref: 00402D33
                                                                            • SetWindowTextA.USER32(?,?), ref: 00402D43
                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 00402D2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: f8f7fb574b01a37347c2b5a7030e5195f98b1542352a9ab3f35e70a1f9b9ac5a
                                                                            • Instruction ID: 025fba79a5afffe449226ec8edfc98a8674e121caf39d96b1da50a976b993c92
                                                                            • Opcode Fuzzy Hash: f8f7fb574b01a37347c2b5a7030e5195f98b1542352a9ab3f35e70a1f9b9ac5a
                                                                            • Instruction Fuzzy Hash: AA01FF71640209FBEF249F60DE49FAE37A9FB04345F008039FA06B61D0DBB599568F59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004055FD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405640
                                                                            • GetLastError.KERNEL32 ref: 00405654
                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405669
                                                                            • GetLastError.KERNEL32 ref: 00405673
                                                                            Strings
                                                                            • C:\Users\user\Desktop, xrefs: 004055FD
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405623
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                            • API String ID: 3449924974-1521822154
                                                                            • Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                            • Instruction ID: eb9787142c6b7489d22a19a099e3bfbf20428df61be735a73e08cf58b85abbae
                                                                            • Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                            • Instruction Fuzzy Hash: 89010871C00219EAEF009FA1C904BEFBBB8EB14354F00847AD545B6290DB7996088FA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
                                                                            • GlobalFree.KERNEL32(?), ref: 0040284C
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040285F
                                                                            • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                            • String ID:
                                                                            • API String ID: 2667972263-0
                                                                            • Opcode ID: a2aa54484539e5cf0e08f909926563fd1753a777fa44bb9cc822b41f9e16e333
                                                                            • Instruction ID: 78559feecc0fcc9b474bd36237e9e6194516f5e07b3510cecd676cf0fe7807ca
                                                                            • Opcode Fuzzy Hash: a2aa54484539e5cf0e08f909926563fd1753a777fa44bb9cc822b41f9e16e333
                                                                            • Instruction Fuzzy Hash: A4217C72C00224ABCF217FA5CD49DAE7F79EF09364B10823AF520762E1CA7959419F98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?), ref: 00401D58
                                                                            • GetClientRect.USER32(?,?), ref: 00401D9F
                                                                            • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
                                                                            • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
                                                                            • DeleteObject.GDI32(00000000), ref: 00401DF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 9644c32a9e4c878c02d501d8468e5b93635b482ba6b65d3f6b9056da4127c7af
                                                                            • Instruction ID: 7a7dd6c208c7a4d57f36c402fdb0fe657614a2e015b6db45afd3f1aca9992802
                                                                            • Opcode Fuzzy Hash: 9644c32a9e4c878c02d501d8468e5b93635b482ba6b65d3f6b9056da4127c7af
                                                                            • Instruction Fuzzy Hash: 30215172E00109AFDB05DF98DE44AEEBBB9FB58310F10403AF945F62A1CB789941CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00401E02
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E35
                                                                            • CreateFontIndirectA.GDI32(0040B818), ref: 00401E84
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                            • String ID:
                                                                            • API String ID: 3808545654-0
                                                                            • Opcode ID: 4e2ac4968fbcfc45df335883300c5f964cad547b4711af948e6fa709055a9030
                                                                            • Instruction ID: a7e809a5f5c9b27870585acda152ffb90eb46fec6a88876af75f69e410eeec04
                                                                            • Opcode Fuzzy Hash: 4e2ac4968fbcfc45df335883300c5f964cad547b4711af948e6fa709055a9030
                                                                            • Instruction Fuzzy Hash: A6015672544240AFD7016B74AE4ABA93FB8EB59305F108839F141B61F2C7750505CB9C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: d1a5455d7aacc09bf912e97d7887ce2258fe7abf1a6a230a252a42dd7e2e40c1
                                                                            • Instruction ID: f2250e9d7a54984aac42e0f48c7b57cae310fb8b86675e6ff90c870375dfe4cb
                                                                            • Opcode Fuzzy Hash: d1a5455d7aacc09bf912e97d7887ce2258fe7abf1a6a230a252a42dd7e2e40c1
                                                                            • Instruction Fuzzy Hash: 4D216BB1944208BEEF06AFA4D98AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004048E7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404802,000000DF,00000000,00000400,?), ref: 00404985
                                                                            • wsprintfA.USER32 ref: 0040498D
                                                                            • SetDlgItemTextA.USER32(?,0042A870), ref: 004049A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s
                                                                            • API String ID: 3540041739-3551169577
                                                                            • Opcode ID: 8f52a3d2b7158611b8ddfee5cd82df9920a420a3de20037d500134a76e905cd2
                                                                            • Instruction ID: e3696489e73bdb8ba2be03c53b0d6a47c9a41464d55e6eab91935fd2637341d8
                                                                            • Opcode Fuzzy Hash: 8f52a3d2b7158611b8ddfee5cd82df9920a420a3de20037d500134a76e905cd2
                                                                            • Instruction Fuzzy Hash: 0E11E473A441286BDB10A57D9C41EAF329CDB85374F254237FA26F31D1E978CC2282A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004059A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004059AE
                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004059B7
                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004059C8
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004059A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 2659869361-823278215
                                                                            • Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
                                                                            • Instruction ID: 62df29c05e3eff7e61c48a1ee3c1863d20e1198667f6a1bd608fcc747cda2104
                                                                            • Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
                                                                            • Instruction Fuzzy Hash: 90D0A9B2211A30BAE20266259E09ECF2E088F06310B060037F200B21A1CA3D0D1287FE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402095
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(00403156,0042A050,00000000,00427388,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                              • Part of subcall function 00405137: lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,00427388,759223A0), ref: 00405193
                                                                              • Part of subcall function 00405137: SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020A5
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2987980305-0
                                                                            • Opcode ID: 81f5fa400d44f1169190a20222c34f29c944439e06ae8ac5dbfd902d2af26aa6
                                                                            • Instruction ID: 166643d80e3f452ca3a3677f95ea327ecca8534a485506fba34b2def260d9046
                                                                            • Opcode Fuzzy Hash: 81f5fa400d44f1169190a20222c34f29c944439e06ae8ac5dbfd902d2af26aa6
                                                                            • Instruction Fuzzy Hash: EA21C671900214ABCF217FA4CF89AAE7A74AF15318F20413BF601B62D0D6FD49829A5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Close$Enum
                                                                            • String ID:
                                                                            • API String ID: 464197530-0
                                                                            • Opcode ID: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
                                                                            • Instruction ID: 2c23bb11d6ae01cf130d195ddd5538b48d854d6e1d77fd04796d14e07e1bb179
                                                                            • Opcode Fuzzy Hash: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
                                                                            • Instruction Fuzzy Hash: 70116A32504109FBEF129F90DF09B9E7B6DEB54340F204036BD45B61E0E7B59E15ABA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
                                                                            • GetTickCount.KERNEL32 ref: 00402D91
                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402DBC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: 92830607251259d7b21fa7f6a4b037c479e5f1f9739c9a057c3e932900ba9aab
                                                                            • Instruction ID: 761b86bf19c83071f88326f4280a43ff42c19d235faedd25f12e3078a496723d
                                                                            • Opcode Fuzzy Hash: 92830607251259d7b21fa7f6a4b037c479e5f1f9739c9a057c3e932900ba9aab
                                                                            • Instruction Fuzzy Hash: 62F0F431A05621ABC6217B64BE4C9DF7A64BB04B11B51047AF545B22E4DB744C878BAC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405A96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406010: lstrcpynA.KERNEL32(?,?,00000400,0040333D,Windows Provisioning 2.6.2 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040601D
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(?,?,0042BC78,?,00405AAD,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A4F
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A54
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A68
                                                                            • lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AE9
                                                                            • GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405AF9
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A96
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 3248276644-823278215
                                                                            • Opcode ID: a0e90dbc06f1550ade5f4dfcb0fddeac6c7db65a8ba4490088ce0944d0043635
                                                                            • Instruction ID: 19c9bca0149f7da3aa3ccb8fe98c792d35a3de88cc2685bd8f8020a319c38c36
                                                                            • Opcode Fuzzy Hash: a0e90dbc06f1550ade5f4dfcb0fddeac6c7db65a8ba4490088ce0944d0043635
                                                                            • Instruction Fuzzy Hash: 94F0F425305D6116DA22323A5D85AAF2A44CED632471A073BF852B12C3DB3C89439DFE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004050AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 004050DA
                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 0040512B
                                                                              • Part of subcall function 004040EA: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004040FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3748168415-3916222277
                                                                            • Opcode ID: e888eab98be9719f5677808cf14d784dfa63dd3181dd39c0deeb7150e6d77b2f
                                                                            • Instruction ID: 77e6a5b3f6bfc6627eb61d09ca0671ae0e6a579f7b3ef645513b94fc1d41cd39
                                                                            • Opcode Fuzzy Hash: e888eab98be9719f5677808cf14d784dfa63dd3181dd39c0deeb7150e6d77b2f
                                                                            • Instruction Fuzzy Hash: FD017171600648ABDF206F11DD81A5B3B65EB84750F144036FA417A1D2D73A8C629F6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405EF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,0042A050,?,?,?,00000002,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,?,0040613B,80000002), ref: 00405F3D
                                                                            • RegCloseKey.ADVAPI32(?,?,0040613B,80000002,Software\Microsoft\Windows\CurrentVersion,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,"antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||,?,0042A050), ref: 00405F48
                                                                            Strings
                                                                            • "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||, xrefs: 00405EFA, 00405F2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID: "antivirus_detector.exe" C:\Users\user\Desktop\5006_2.6.2.exe|C:\Users\user\AppData\Roaming\Windows Provisioning||
                                                                            • API String ID: 3356406503-2781392156
                                                                            • Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                                                            • Instruction ID: 2ff6a7a209fcbf00177f68e0cac6a7fed3d2e9df1b1dc864ec66af95abe17f1f
                                                                            • Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                                                            • Instruction Fuzzy Hash: 63017C7250060AABDF228F61CD09FDB3FA8EF59364F04403AF955E2190D2B8DA54CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403798 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,00403770,0040358A,?,?,00000006,00000008,0000000A), ref: 004037B2
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004037B9
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403798
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: Free$GlobalLibrary
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 1100898210-823278215
                                                                            • Opcode ID: 248c780681ff10c09d9810c58c710ba8abcca500869ff380da07a7f320702544
                                                                            • Instruction ID: 06ba742c3ad1fb67bc09d12af4c86e1058789e05b1a36190638fabe2eea0851a
                                                                            • Opcode Fuzzy Hash: 248c780681ff10c09d9810c58c710ba8abcca500869ff380da07a7f320702544
                                                                            • Instruction Fuzzy Hash: EAE0C27352212097C7312F15EE04B1AB7A86F86F22F09403AE8407B2A087741C438BCC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004059EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5006_2.6.2.exe,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 004059F5
                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5006_2.6.2.exe,C:\Users\user\Desktop\5006_2.6.2.exe,80000000,00000003), ref: 00405A03
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrlen
                                                                            • String ID: C:\Users\user\Desktop
                                                                            • API String ID: 2709904686-1246513382
                                                                            • Opcode ID: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
                                                                            • Instruction ID: 7185998fb8cc4c4ccda179d560b4c8302004e2739ffdff7e1043df3a51136750
                                                                            • Opcode Fuzzy Hash: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
                                                                            • Instruction Fuzzy Hash: E6D0C7B3519DB06EE30392549D04B9F6A48DF16710F094566E181A6195C6784D424BED
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B0E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1E
                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B36
                                                                            • CharNextA.USER32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B47
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B50
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1991310187.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.1991298196.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991336061.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991349244.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1991396817.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_5006_2.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
                                                                            • Instruction ID: 0197496b5d832c36441f5dd9a15c5c44ab4bce902fcb82863052ee0cfca36748
                                                                            • Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
                                                                            • Instruction Fuzzy Hash: C9F0C231600418BFC7029BA5DD00D9EBBB8DF06250B2540BAE840F7210D634FE019BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:19.5%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:12.8%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:22
                                                                            execution_graph 9041 a05ee9 9042 a05ef5 ___scrt_is_nonwritable_in_current_image 9041->9042 9063 a05bfd 9042->9063 9044 a05efc 9046 a05f25 9044->9046 9495 a06647 IsProcessorFeaturePresent 9044->9495 9047 a05f72 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 9046->9047 9048 a05f29 _initterm_e 9046->9048 9051 a05fc5 9047->9051 9054 a05fbd _register_thread_local_exe_atexit_callback 9047->9054 9049 a05f55 _initterm 9048->9049 9050 a05f44 ___scrt_is_nonwritable_in_current_image 9048->9050 9049->9047 9067 a06762 memset GetStartupInfoW 9051->9067 9054->9051 9064 a05c06 9063->9064 9501 a0649d IsProcessorFeaturePresent 9064->9501 9066 a05c12 ___scrt_uninitialize_crt 9066->9044 9068 a05fca _get_wide_winmain_command_line 9067->9068 9069 9f2e60 9068->9069 9503 a01170 9069->9503 9076 9f2eee 9567 9f66a0 8 API calls 9076->9567 9077 a05b51 new 4 API calls 9078 9f2ed2 9077->9078 10134 9fbc50 9078->10134 9081 9f2f00 9568 9f6800 9081->9568 9086 9f2fc6 9581 9f5620 9086->9581 9089 9f2f45 9091 9f27d0 5 API calls 9089->9091 9090 9f3000 9092 9f5620 18 API calls 9090->9092 9093 9f2f57 9091->9093 9099 9f3011 9092->9099 9094 9f2f5f 9093->9094 9095 9f2fb7 9093->9095 10150 9fb930 9094->10150 10194 9f2740 9095->10194 9101 9f302c memset wcstombs strtok 9099->9101 9100 9f2f6c GetCommandLineW 10179 9fbb30 9100->10179 9103 9f3195 9101->9103 9119 9f306d 9101->9119 9110 9f5620 18 API calls 9103->9110 9104 9f2f7e 9106 9f2fa6 9104->9106 9107 9f2f85 9104->9107 9105 9f3076 Sleep 9109 9f27d0 5 API calls 9105->9109 9108 9f27d0 5 API calls 9106->9108 9111 9f27d0 5 API calls 9107->9111 9112 9f2fb5 9108->9112 9109->9119 9113 9f31d2 9110->9113 9115 9f2f94 CloseHandle ExitProcess 9111->9115 9112->9086 9597 9f5720 9113->9597 9114 9f27d0 InitializeCriticalSection _callnewh malloc _CxxThrowException _CxxThrowException 9114->9119 9116 9f3175 strtok 9116->9103 9116->9119 9118 9f31fc 9616 9f55b0 9118->9616 9119->9105 9119->9114 9119->9116 9121 9f5620 18 API calls 9119->9121 9121->9119 9122 9f320a 9123 9f324d 9122->9123 9124 9f3217 ?_Xout_of_range@std@@YAXPBD 9122->9124 9125 9f3222 9122->9125 9621 9f5840 9123->9621 9124->9125 9127 9f5720 16 API calls 9125->9127 9127->9123 9128 9f325d 9129 9f5840 17 API calls 9128->9129 9130 9f3270 _stat64i32 9129->9130 9131 9f32cf 9130->9131 9132 9f329b _stat64i32 9130->9132 9134 9f5620 18 API calls 9131->9134 9133 9f34f5 9132->9133 9135 a05b51 new 4 API calls 9133->9135 9136 9f32e2 9134->9136 9137 9f3504 memset 9135->9137 9136->9133 10200 9f4f00 9136->10200 9639 a00b40 9137->9639 9141 9f32fb RegOpenKeyExW 9143 9f27d0 5 API calls 9141->9143 9144 9f3342 9143->9144 9146 9f349d _stat64i32 9144->9146 9147 9f3351 RegQueryValueExA 9144->9147 9151 9f27d0 5 API calls 9146->9151 9149 9f27d0 5 API calls 9147->9149 9152 9f3390 9149->9152 9150 9f353a 9153 a01200 19 API calls 9150->9153 9154 9f34ce 9151->9154 9155 9f33f6 RegQueryValueExA 9152->9155 9161 9f33a2 memset RegQueryValueExA 9152->9161 9156 9f354b _stat64i32 9153->9156 9154->9133 10214 9f5b30 9154->10214 9159 9f27d0 5 API calls 9155->9159 9157 9f359d 9156->9157 9158 9f3574 _stat64i32 9156->9158 9171 9f35ad std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 9157->9171 10225 a00f40 9157->10225 9158->9157 9162 9f342a 9159->9162 10207 9f4f60 9161->10207 9163 9f3493 RegCloseKey 9162->9163 9168 9f343c memset RegQueryValueExA 9162->9168 9163->9146 9165 9f27d0 5 API calls 9169 9f35ca 9165->9169 9166 9f33da 9170 9f27d0 5 API calls 9166->9170 9172 9f4f60 18 API calls 9168->9172 9173 a05b51 new 4 API calls 9169->9173 9174 9f33ea 9170->9174 9171->9165 9175 9f3477 9172->9175 9176 9f35d4 memset 9173->9176 9174->9155 9177 9f27d0 5 API calls 9175->9177 9178 a00b40 59 API calls 9176->9178 9179 9f3487 9177->9179 9180 9f35f0 9178->9180 9179->9163 9181 9f27d0 5 API calls 9180->9181 9182 9f3601 9181->9182 9875 a020e0 9182->9875 9185 9f27d0 5 API calls 9186 9f361a 9185->9186 9187 a01200 19 API calls 9186->9187 9188 9f362e 9187->9188 9189 a01200 19 API calls 9188->9189 9190 9f363f 9189->9190 9191 9f364a 9190->9191 9192 9f3c07 9190->9192 9193 9f3670 _stat64i32 9191->9193 10241 9fd020 remove 9191->10241 9194 9f27d0 5 API calls 9192->9194 9196 9f369d _stat64i32 9193->9196 9197 9f3b88 9193->9197 9198 9f3c16 9194->9198 9196->9197 9201 9f36ca 9196->9201 9199 9f3768 9197->9199 9200 9f3b95 9197->9200 9202 a01200 19 API calls 9198->9202 9207 a00f40 9 API calls 9199->9207 9215 9f4367 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 9199->9215 9203 9f27d0 5 API calls 9200->9203 9201->9197 9204 9f36d5 9201->9204 9205 9f3c2c 9202->9205 9206 9f3ba4 9203->9206 9208 9f376d 9204->9208 9209 9f36e0 9204->9209 10424 9f63e0 9205->10424 10315 a02ae0 CreateEventW 9206->10315 9207->9215 10044 9f5180 9208->10044 9216 9f27d0 5 API calls 9209->9216 9213 9f437a 9225 9f43af 9213->9225 9230 9f5b90 4 API calls 9213->9230 10522 9f68c0 9215->10522 9221 9f36ef 9216->9221 9218 9f3c51 9224 9f5720 16 API calls 9218->9224 9233 9f36f6 memset 9221->9233 9223 9f37a2 10047 9f6430 9223->10047 9228 9f3c90 9224->9228 9232 9f43e7 9225->9232 9237 9f5b90 4 API calls 9225->9237 9226 a01200 19 API calls 9231 9f3bbd 9226->9231 10440 9f2b00 9228->10440 9230->9225 10324 a02b50 9231->10324 9238 9f441f 9232->9238 9244 9f5b90 4 API calls 9232->9244 10244 9f2530 9233->10244 9237->9232 9245 9f4457 9238->9245 9251 9f5b90 4 API calls 9238->9251 9240 9f3715 9246 9f5120 18 API calls 9240->9246 9244->9238 9252 9f3725 9246->9252 9251->9245 10247 9fc1f0 9252->10247 9277 9f3741 9496 a06662 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9495->9496 9497 a0665d 9495->9497 9498 a0674f 9496->9498 9497->9496 9498->9044 9502 a064c3 9501->9502 9502->9066 10548 a01070 9503->10548 9506 9f63e0 18 API calls 9507 a011c2 9506->9507 9508 a011d7 9507->9508 9509 9f5b90 4 API calls 9507->9509 9510 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 9508->9510 9509->9508 9511 9f2e97 9510->9511 9512 a05b51 9511->9512 9513 a05b75 malloc 9512->9513 9514 9f2e9e 9513->9514 9515 a05b56 _callnewh 9513->9515 9519 9fa870 9514->9519 9515->9513 9518 a05b63 9515->9518 9518->9513 10604 a06480 9518->10604 10607 a06463 9518->10607 9520 9fa8ca 9519->9520 9521 9f5620 18 API calls 9520->9521 9522 9fa953 9521->9522 9523 9f5620 18 API calls 9522->9523 9524 9fa962 9523->9524 9525 9f5620 18 API calls 9524->9525 9526 9fa971 9525->9526 9527 9fa9b5 9526->9527 9529 9fa989 GetFileAttributesA 9526->9529 9528 9fa9d5 9527->9528 9531 9fa9cd GetFileAttributesA 9527->9531 9530 9fab54 9528->9530 9532 9f5720 16 API calls 9528->9532 9533 9fa991 9529->9533 9534 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 9530->9534 9531->9528 9535 9faa02 9532->9535 9533->9527 9538 9fa9a1 _mkdir 9533->9538 9536 9f2ec0 9534->9536 9537 9faa30 9535->9537 9539 9faa21 9535->9539 9536->9076 9536->9077 10612 9fb130 GetLocalTime 9537->10612 9538->9527 9541 9fa9af _errno 9538->9541 9542 9f5840 17 API calls 9539->9542 9541->9527 9542->9537 9544 9f5960 14 API calls 9546 9faa49 9544->9546 9545 9faa5f GetFileAttributesA 9548 9faa7a _mkdir 9545->9548 9549 9faa76 9545->9549 9546->9545 9547 9f5b90 4 API calls 9546->9547 9547->9545 9550 9faa99 9548->9550 9551 9faa93 _errno 9548->9551 9549->9548 9549->9550 9552 9f5840 17 API calls 9550->9552 9551->9550 9553 9faaa8 9552->9553 9554 9f6430 19 API calls 9553->9554 9555 9faab8 9554->9555 9556 9f6540 15 API calls 9555->9556 9557 9faacd 9556->9557 9558 9fab0c 9557->9558 9560 9faae7 9557->9560 9563 9f5b90 4 API calls 9557->9563 9559 9fab1e 9558->9559 9561 9f5b90 4 API calls 9558->9561 9562 9fab42 9559->9562 9564 9f5b90 4 API calls 9559->9564 10619 9f5a50 9560->10619 9561->9559 9562->9530 9566 9f5b90 4 API calls 9562->9566 9563->9560 9564->9562 9566->9530 9567->9081 9569 a05b51 new 4 API calls 9568->9569 9570 9f682e memset 9569->9570 9571 a00b40 59 API calls 9570->9571 9572 9f6854 9571->9572 9573 a020e0 35 API calls 9572->9573 9574 9f2f05 GetCurrentProcessId ProcessIdToSessionId 9573->9574 9575 9f27d0 9574->9575 9576 9f2800 9575->9576 9580 9f282d 9575->9580 9577 a05b51 new 4 API calls 9576->9577 9578 9f2807 9577->9578 9579 9fbc50 5 API calls 9578->9579 9579->9580 9580->9086 10137 9f9f30 WTSEnumerateSessionsA 9580->10137 9582 9f562e 9581->9582 9583 9f5685 9581->9583 9582->9583 9588 9f5654 9582->9588 9584 9f568e ?_Xlength_error@std@@YAXPBD 9583->9584 9585 9f5699 9583->9585 9584->9585 9586 9f6170 10 API calls 9585->9586 9587 9f56a9 9585->9587 9586->9587 9589 9f56e4 memcpy 9587->9589 9590 9f56bb 9587->9590 9591 9f566f 9588->9591 9592 9f5659 9588->9592 9589->9590 9590->9090 9594 9f5720 16 API calls 9591->9594 9593 9f5720 16 API calls 9592->9593 9596 9f5669 9593->9596 9595 9f567f 9594->9595 9595->9090 9596->9090 9598 9f5735 ?_Xout_of_range@std@@YAXPBD 9597->9598 9599 9f5740 9597->9599 9598->9599 9600 9f574e 9599->9600 9601 9f579c 9599->9601 9602 9f5756 ?_Xout_of_range@std@@YAXPBD 9600->9602 9603 9f5761 9600->9603 9604 9f57ac 9601->9604 9605 9f57a1 ?_Xlength_error@std@@YAXPBD 9601->9605 9602->9603 9606 9f576a 9603->9606 9607 9f5783 9603->9607 9610 9f6170 10 API calls 9604->9610 9613 9f57bc 9604->9613 9605->9604 10630 9f5f30 9606->10630 9609 9f5f30 2 API calls 9607->9609 9612 9f5793 9609->9612 9610->9613 9612->9118 9614 9f5802 memcpy 9613->9614 9615 9f57d9 9613->9615 9614->9615 9615->9118 9617 9f55bf 9616->9617 9618 9f5614 9616->9618 9617->9618 9619 9f55dc memchr 9617->9619 9618->9122 9619->9617 9620 9f5601 9619->9620 9620->9122 9622 9f584e 9621->9622 9623 9f58a5 9621->9623 9622->9623 9629 9f5874 9622->9629 9624 9f58be 9623->9624 9625 9f58b3 ?_Xlength_error@std@@YAXPBD 9623->9625 9626 9f58cf ?_Xlength_error@std@@YAXPBD 9624->9626 9627 9f58da 9624->9627 9634 9f58fd 9624->9634 9625->9624 9626->9627 9628 9f6170 10 API calls 9627->9628 9630 9f58e8 9627->9630 9628->9630 9631 9f588f 9629->9631 9632 9f5879 9629->9632 9630->9634 9635 9f5926 memcpy 9630->9635 9633 9f5960 14 API calls 9631->9633 9636 9f5960 14 API calls 9632->9636 9638 9f589f 9633->9638 9634->9128 9635->9634 9637 9f5889 9636->9637 9637->9128 9638->9128 10635 9ffc20 9639->10635 9643 a00c4e 10638 9f5240 9643->10638 9645 a00c86 9646 9f5240 20 API calls 9645->9646 9647 a00ca9 9646->9647 10650 9f5d10 9647->10650 9651 a00cd7 9652 a05b51 new 4 API calls 9651->9652 9653 a00cde 9652->9653 9654 9f5240 20 API calls 9653->9654 9655 a00d18 9654->9655 10675 9f5340 9655->10675 9657 a00d4c 10690 a03ad0 9657->10690 9662 a00db2 9663 a00dc8 9662->9663 9665 9f5b90 4 API calls 9662->9665 10710 a012b0 GetWindowsDirectoryA 9663->10710 9664 a00d89 9669 9f5a50 memcpy 9664->9669 9665->9663 9667 9f5b90 4 API calls 9667->9664 9669->9662 9670 a00e13 9671 a00e29 9670->9671 9673 9f5b90 4 API calls 9670->9673 9674 a014c0 24 API calls 9671->9674 9672 a00deb 9678 9f5a50 memcpy 9672->9678 9673->9671 9676 a00e31 9674->9676 9675 9f5b90 4 API calls 9675->9672 9677 a00e6d 9676->9677 9679 a00e48 9676->9679 9683 9f5b90 4 API calls 9676->9683 9680 a00e83 9677->9680 9681 9f5b90 4 API calls 9677->9681 9678->9670 9686 9f5a50 memcpy 9679->9686 9682 a014c0 24 API calls 9680->9682 9681->9680 9684 a00e8b 9682->9684 9683->9679 9685 a00ec7 9684->9685 9687 a00ea2 9684->9687 9690 9f5b90 4 API calls 9684->9690 9688 a00ed9 9685->9688 9691 9f5b90 4 API calls 9685->9691 9686->9677 9695 9f5a50 memcpy 9687->9695 9689 a00eeb 9688->9689 9692 9f5b30 5 API calls 9688->9692 9693 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 9689->9693 9690->9687 9691->9688 9692->9689 9694 9f3520 9693->9694 9696 a01550 9694->9696 9695->9685 9697 9f5620 18 API calls 9696->9697 9698 a015ad 9697->9698 9699 9f5620 18 API calls 9698->9699 9700 a015e1 9699->9700 9701 9f5620 18 API calls 9700->9701 9702 a01612 9701->9702 9703 9f5620 18 API calls 9702->9703 9704 a01643 9703->9704 9705 9f5620 18 API calls 9704->9705 9706 a01674 9705->9706 9707 9f5620 18 API calls 9706->9707 9708 a016a5 9707->9708 9709 9f5620 18 API calls 9708->9709 9710 a016d6 9709->9710 9711 9f5620 18 API calls 9710->9711 9712 a01707 9711->9712 9713 9f5620 18 API calls 9712->9713 9714 a01738 9713->9714 9715 9f5620 18 API calls 9714->9715 9716 a01769 9715->9716 9717 9f5620 18 API calls 9716->9717 9718 a01794 9717->9718 9719 9f5620 18 API calls 9718->9719 9720 a017b9 9719->9720 9721 9f5620 18 API calls 9720->9721 9722 a017de 9721->9722 9723 9f6430 19 API calls 9722->9723 9724 a017f2 9723->9724 9725 9f6430 19 API calls 9724->9725 9726 a01813 9725->9726 9727 9f6540 15 API calls 9726->9727 9728 a0182e 9727->9728 10741 a03420 9728->10741 9730 a0184c 9731 a01890 9730->9731 9733 a0186b 9730->9733 9736 9f5b90 4 API calls 9730->9736 9732 a018a8 9731->9732 9734 9f5b90 4 API calls 9731->9734 9735 a018d9 9732->9735 9737 9f5b90 4 API calls 9732->9737 9739 9f5a50 memcpy 9733->9739 9734->9732 10748 9fb710 9735->10748 9736->9733 9737->9735 9739->9731 9741 a03420 9 API calls 9742 a01913 9741->9742 9743 a01957 9742->9743 9745 a01932 9742->9745 9746 9f5b90 4 API calls 9742->9746 9744 a0196d 9743->9744 9747 9f5b90 4 API calls 9743->9747 9748 9fb710 16 API calls 9744->9748 9750 9f5a50 memcpy 9745->9750 9746->9745 9747->9744 9749 a01989 9748->9749 9751 a03420 9 API calls 9749->9751 9750->9743 9752 a019a7 9751->9752 9753 a019eb 9752->9753 9755 a019c6 9752->9755 9756 9f5b90 4 API calls 9752->9756 9754 a01a01 9753->9754 9757 9f5b90 4 API calls 9753->9757 9758 9fb710 16 API calls 9754->9758 9760 9f5a50 memcpy 9755->9760 9756->9755 9757->9754 9759 a01a1d 9758->9759 9761 a03420 9 API calls 9759->9761 9760->9753 9762 a01a3b 9761->9762 9763 a01a7f 9762->9763 9765 a01a5a 9762->9765 9766 9f5b90 4 API calls 9762->9766 9764 a01a95 9763->9764 9767 9f5b90 4 API calls 9763->9767 9768 9fb710 16 API calls 9764->9768 9770 9f5a50 memcpy 9765->9770 9766->9765 9767->9764 9769 a01ab1 9768->9769 9771 a03420 9 API calls 9769->9771 9770->9763 9772 a01acf 9771->9772 9773 a01b13 9772->9773 9775 a01aee 9772->9775 9776 9f5b90 4 API calls 9772->9776 9774 a01b29 9773->9774 9777 9f5b90 4 API calls 9773->9777 9778 9fb710 16 API calls 9774->9778 9780 9f5a50 memcpy 9775->9780 9776->9775 9777->9774 9779 a01b45 9778->9779 9781 a03420 9 API calls 9779->9781 9780->9773 9782 a01b63 9781->9782 9783 a01ba7 9782->9783 9785 a01b82 9782->9785 9786 9f5b90 4 API calls 9782->9786 9784 a01bbd 9783->9784 9787 9f5b90 4 API calls 9783->9787 9788 9fb710 16 API calls 9784->9788 9790 9f5a50 memcpy 9785->9790 9786->9785 9787->9784 9789 a01bd9 9788->9789 9791 a03420 9 API calls 9789->9791 9790->9783 9792 a01bf7 9791->9792 9793 a01c3b 9792->9793 9795 a01c16 9792->9795 9796 9f5b90 4 API calls 9792->9796 9794 a01c51 9793->9794 9797 9f5b90 4 API calls 9793->9797 9798 9fb710 16 API calls 9794->9798 9800 9f5a50 memcpy 9795->9800 9796->9795 9797->9794 9799 a01c6d 9798->9799 9801 a03420 9 API calls 9799->9801 9800->9793 9802 a01c8b 9801->9802 9803 a01ccf 9802->9803 9805 a01caa 9802->9805 9806 9f5b90 4 API calls 9802->9806 9804 a01ce5 9803->9804 9807 9f5b90 4 API calls 9803->9807 9808 9fb710 16 API calls 9804->9808 9810 9f5a50 memcpy 9805->9810 9806->9805 9807->9804 9809 a01cfe 9808->9809 9811 a03420 9 API calls 9809->9811 9810->9803 9812 a01d1c 9811->9812 9813 a01d60 9812->9813 9815 a01d3b 9812->9815 9816 9f5b90 4 API calls 9812->9816 9814 a01d76 9813->9814 9817 9f5b90 4 API calls 9813->9817 9818 a03420 9 API calls 9814->9818 9820 9f5a50 memcpy 9815->9820 9816->9815 9817->9814 9819 a01d95 9818->9819 9821 9f5720 16 API calls 9819->9821 9820->9813 9822 a01dae 9821->9822 9823 a03420 9 API calls 9822->9823 9824 a01dcd 9823->9824 9825 9f5720 16 API calls 9824->9825 9826 a01de6 9825->9826 9827 a03420 9 API calls 9826->9827 9828 a01e05 9827->9828 9829 9f5720 16 API calls 9828->9829 9830 a01e1e 9829->9830 9831 a03420 9 API calls 9830->9831 9832 a01e3d 9831->9832 9833 9f5720 16 API calls 9832->9833 9834 a01e53 9833->9834 9835 a01e65 9834->9835 9836 9f5b90 4 API calls 9834->9836 9837 a01e89 9835->9837 9839 9f5b90 4 API calls 9835->9839 9836->9835 9838 a01ead 9837->9838 9840 9f5b90 4 API calls 9837->9840 9841 a01ed4 9838->9841 9842 9f5b90 4 API calls 9838->9842 9839->9837 9840->9838 9843 a01f01 9841->9843 9844 9f5b90 4 API calls 9841->9844 9842->9841 9845 a01f34 9843->9845 9846 9f5b90 4 API calls 9843->9846 9844->9843 9847 a01f67 9845->9847 9848 9f5b90 4 API calls 9845->9848 9846->9845 9849 a01f9a 9847->9849 9850 9f5b90 4 API calls 9847->9850 9848->9847 9851 a01fcd 9849->9851 9852 9f5b90 4 API calls 9849->9852 9850->9849 9853 a02000 9851->9853 9854 9f5b90 4 API calls 9851->9854 9852->9851 9855 a02033 9853->9855 9856 9f5b90 4 API calls 9853->9856 9854->9853 9857 a02066 9855->9857 9858 9f5b90 4 API calls 9855->9858 9856->9855 9859 a02099 9857->9859 9860 9f5b90 4 API calls 9857->9860 9858->9857 9861 9f4fe0 4 API calls 9859->9861 9860->9859 9862 a020bb 9861->9862 9863 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 9862->9863 9864 9f3529 9863->9864 9865 a01200 9864->9865 9866 a0121f 9865->9866 9867 a01243 9866->9867 9868 a0126f 9866->9868 9869 9f5620 18 API calls 9867->9869 9870 a03420 9 API calls 9868->9870 9871 a01265 9869->9871 9872 a0127c 9870->9872 9871->9150 9873 9f5720 16 API calls 9872->9873 9874 a012a2 9873->9874 9874->9150 9876 9f6430 19 API calls 9875->9876 9877 a02120 9876->9877 9878 9f6540 15 API calls 9877->9878 9879 a02139 9878->9879 9880 9f63e0 18 API calls 9879->9880 9881 a0214f 9880->9881 9882 a02164 9881->9882 9883 9f5b90 4 API calls 9881->9883 9884 a0218c 9882->9884 9885 9f5b90 4 API calls 9882->9885 9883->9882 9886 9f6430 19 API calls 9884->9886 9885->9884 9887 a021b8 9886->9887 9888 9f6540 15 API calls 9887->9888 9889 a021d1 9888->9889 9890 9f63e0 18 API calls 9889->9890 9891 a021ea 9890->9891 9892 9f6540 15 API calls 9891->9892 9893 a02203 9892->9893 9894 a03420 9 API calls 9893->9894 9895 a02221 9894->9895 9896 a02265 9895->9896 9897 a02240 9895->9897 9900 9f5b90 4 API calls 9895->9900 9898 a0227a 9896->9898 9901 9f5b90 4 API calls 9896->9901 9906 9f5a50 memcpy 9897->9906 9899 a022a7 9898->9899 9902 9f5b90 4 API calls 9898->9902 9903 a022da 9899->9903 9904 9f5b90 4 API calls 9899->9904 9900->9897 9901->9898 9902->9899 9905 a0230b 9903->9905 9907 9f5b90 4 API calls 9903->9907 9904->9903 9908 9fb710 16 API calls 9905->9908 9906->9896 9907->9905 9909 a02325 9908->9909 9910 a03420 9 API calls 9909->9910 9911 a02343 9910->9911 9912 a02387 9911->9912 9914 a02362 9911->9914 9915 9f5b90 4 API calls 9911->9915 9913 a0239d 9912->9913 9916 9f5b90 4 API calls 9912->9916 9917 9fb710 16 API calls 9913->9917 9919 9f5a50 memcpy 9914->9919 9915->9914 9916->9913 9918 a023b7 9917->9918 9920 a03420 9 API calls 9918->9920 9919->9912 9921 a023d5 9920->9921 9922 a02419 9921->9922 9924 a023f4 9921->9924 9925 9f5b90 4 API calls 9921->9925 9923 a0242f 9922->9923 9926 9f5b90 4 API calls 9922->9926 9927 9fb710 16 API calls 9923->9927 9929 9f5a50 memcpy 9924->9929 9925->9924 9926->9923 9928 a02449 9927->9928 9930 a03420 9 API calls 9928->9930 9929->9922 9931 a02467 9930->9931 9932 a024ab 9931->9932 9934 a02486 9931->9934 9935 9f5b90 4 API calls 9931->9935 9933 a024c1 9932->9933 9936 9f5b90 4 API calls 9932->9936 9937 9fb710 16 API calls 9933->9937 9939 9f5a50 memcpy 9934->9939 9935->9934 9936->9933 9938 a024db 9937->9938 9940 a03420 9 API calls 9938->9940 9939->9932 9941 a024f9 9940->9941 9942 a0253d 9941->9942 9944 9f5b90 4 API calls 9941->9944 9947 a02518 9941->9947 9943 a02553 9942->9943 9945 9f5b90 4 API calls 9942->9945 9946 9fb710 16 API calls 9943->9946 9944->9947 9945->9943 9948 a0256d 9946->9948 9949 9f5a50 memcpy 9947->9949 9950 a03420 9 API calls 9948->9950 9949->9942 9951 a0258b 9950->9951 9952 a025cf 9951->9952 9954 a025aa 9951->9954 9955 9f5b90 4 API calls 9951->9955 9953 a025e5 9952->9953 9956 9f5b90 4 API calls 9952->9956 9957 9fb710 16 API calls 9953->9957 9959 9f5a50 memcpy 9954->9959 9955->9954 9956->9953 9958 a025ff 9957->9958 9960 a03420 9 API calls 9958->9960 9959->9952 9961 a0261d 9960->9961 9962 a02661 9961->9962 9964 a0263c 9961->9964 9965 9f5b90 4 API calls 9961->9965 9963 a02677 9962->9963 9966 9f5b90 4 API calls 9962->9966 9967 9fb710 16 API calls 9963->9967 9969 9f5a50 memcpy 9964->9969 9965->9964 9966->9963 9968 a02691 9967->9968 9970 a03420 9 API calls 9968->9970 9969->9962 9971 a026af 9970->9971 9972 a026f3 9971->9972 9974 a026ce 9971->9974 9975 9f5b90 4 API calls 9971->9975 9973 a02709 9972->9973 9976 9f5b90 4 API calls 9972->9976 9977 9fb710 16 API calls 9973->9977 9979 9f5a50 memcpy 9974->9979 9975->9974 9976->9973 9978 a02723 9977->9978 9980 a03420 9 API calls 9978->9980 9979->9972 9981 a02741 9980->9981 9982 a02785 9981->9982 9984 a02760 9981->9984 9985 9f5b90 4 API calls 9981->9985 9983 a0279b 9982->9983 9986 9f5b90 4 API calls 9982->9986 9987 9fb710 16 API calls 9983->9987 9989 9f5a50 memcpy 9984->9989 9985->9984 9986->9983 9988 a027b5 9987->9988 9990 a03420 9 API calls 9988->9990 9989->9982 9991 a027d3 9990->9991 9992 a02817 9991->9992 9994 a027f2 9991->9994 9995 9f5b90 4 API calls 9991->9995 9993 a0282d 9992->9993 9996 9f5b90 4 API calls 9992->9996 9997 9f6430 19 API calls 9993->9997 9999 9f5a50 memcpy 9994->9999 9995->9994 9996->9993 9998 a02847 9997->9998 10000 a03420 9 API calls 9998->10000 9999->9992 10001 a02865 10000->10001 10002 a028a9 10001->10002 10004 a02884 10001->10004 10005 9f5b90 4 API calls 10001->10005 10003 a028bf 10002->10003 10006 9f5b90 4 API calls 10002->10006 10007 a03420 9 API calls 10003->10007 10009 9f5a50 memcpy 10004->10009 10005->10004 10006->10003 10008 a028de 10007->10008 10010 9f5720 16 API calls 10008->10010 10009->10002 10011 a028f5 10010->10011 10012 a03420 9 API calls 10011->10012 10013 a02914 10012->10013 10014 9f5720 16 API calls 10013->10014 10015 a0292b 10014->10015 10016 a03420 9 API calls 10015->10016 10017 a0294a 10016->10017 10018 9f5720 16 API calls 10017->10018 10019 a02961 10018->10019 10020 a03420 9 API calls 10019->10020 10021 a02980 10020->10021 10022 9f5720 16 API calls 10021->10022 10023 a02997 10022->10023 10024 a03420 9 API calls 10023->10024 10025 a029b6 10024->10025 10026 9f5720 16 API calls 10025->10026 10027 a029cd 10026->10027 10028 a03420 9 API calls 10027->10028 10029 a029ec 10028->10029 10030 9f5720 16 API calls 10029->10030 10031 a02a03 10030->10031 10032 a03420 9 API calls 10031->10032 10033 a02a22 10032->10033 10034 9f5620 18 API calls 10033->10034 10035 a02a37 10034->10035 10036 a03420 9 API calls 10035->10036 10037 a02a56 10036->10037 10038 9f5620 18 API calls 10037->10038 10039 a02a6b 10038->10039 10040 a02a7d 10039->10040 10041 9f5b90 4 API calls 10039->10041 10042 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10040->10042 10041->10040 10043 9f360b 10042->10043 10043->9185 10045 9f5720 16 API calls 10044->10045 10046 9f377b 10045->10046 10046->9223 10294 9f4fa0 10046->10294 10048 9f648b 10047->10048 10049 9f64d8 10048->10049 10051 9f5e80 12 API calls 10048->10051 10050 9f5960 14 API calls 10049->10050 10052 9f64fd 10050->10052 10051->10049 10053 9f5840 17 API calls 10052->10053 10054 9f37b4 10053->10054 10055 9f5120 10054->10055 10056 9f513f 10055->10056 10057 9f5151 10055->10057 10058 9f5620 18 API calls 10056->10058 10060 9f5620 18 API calls 10057->10060 10059 9f514a 10058->10059 10061 9f516a 10060->10061 10135 a05b51 new 4 API calls 10134->10135 10136 9fbcb2 InitializeCriticalSection 10135->10136 10136->9076 10138 9f9f95 GetLastError 10137->10138 10143 9f9f5c WTSFreeMemory 10137->10143 10140 9f2740 5 API calls 10138->10140 10141 9f9fab 10140->10141 10145 9f2740 5 API calls 10141->10145 10142 9f9f84 10144 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10142->10144 10143->10141 10143->10142 10146 9f9f91 10144->10146 10147 9f9fbf 10145->10147 10146->9089 10148 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10147->10148 10149 9f9fcf 10148->10149 10149->9089 10151 9f5240 20 API calls 10150->10151 10152 9fb98d 10151->10152 10844 a046b0 memset CreateToolhelp32Snapshot 10152->10844 10155 9fb9b1 10157 9fb9cf 10155->10157 10161 9fb9e8 10155->10161 10156 9f5b30 5 API calls 10156->10155 10158 9f2740 5 API calls 10157->10158 10159 9fb9de 10158->10159 10886 9f9590 10159->10886 10160 9fb9f7 ProcessIdToSessionId 10160->10161 10161->10159 10161->10160 10162 9fba25 OpenProcess 10161->10162 10176 9fbac9 CloseHandle 10161->10176 10859 a049e0 OpenProcess 10161->10859 10165 9fbb07 GetLastError 10162->10165 10166 9fba40 OpenProcessToken 10162->10166 10170 9f2740 5 API calls 10165->10170 10168 9fba5f DuplicateTokenEx 10166->10168 10169 9fbab0 GetLastError 10166->10169 10173 9fba8c GetLastError 10168->10173 10174 9fba7b CloseHandle 10168->10174 10171 9f2740 5 API calls 10169->10171 10170->10159 10171->10161 10172 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10175 9f2f66 10172->10175 10177 9f2740 5 API calls 10173->10177 10174->10176 10175->9086 10175->9100 10176->10161 10178 9fbaa2 CloseHandle 10177->10178 10178->10176 10180 9fbb5e memset CreateEnvironmentBlock 10179->10180 10181 9fbb4b 10179->10181 10183 9fbba0 CreateProcessAsUserW 10180->10183 10182 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10181->10182 10184 9fbb5a 10182->10184 10186 9fbbdb 10183->10186 10187 9fbbd4 DestroyEnvironmentBlock 10183->10187 10184->9104 10188 9fbbec 10186->10188 10189 9fbbe9 CloseHandle 10186->10189 10187->10186 10190 9fbbf7 10188->10190 10191 9fbbf4 CloseHandle 10188->10191 10189->10188 10192 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10190->10192 10191->10190 10193 9fbc09 10192->10193 10193->9104 10195 9f279d 10194->10195 10196 9f2770 10194->10196 10195->9086 10197 a05b51 new 4 API calls 10196->10197 10198 9f2777 10197->10198 10199 9fbc50 5 API calls 10198->10199 10199->10195 10201 9f4f33 10200->10201 10202 9f4f21 10200->10202 10205 9f5240 20 API calls 10201->10205 10203 9f5240 20 API calls 10202->10203 10204 9f4f2c 10203->10204 10204->9141 10206 9f4f59 10205->10206 10206->9141 10208 9f4f6c 10207->10208 10211 9f4f7a 10207->10211 10209 9f5620 18 API calls 10208->10209 10210 9f4f75 10209->10210 10210->9166 10212 9f5620 18 API calls 10211->10212 10213 9f4f91 10212->10213 10213->9166 10215 9f5b46 10214->10215 10216 9f5b40 _invalid_parameter_noinfo_noreturn 10214->10216 10217 9f5b7f 10215->10217 10218 9f5b5a 10215->10218 10219 9f5b54 _invalid_parameter_noinfo_noreturn 10215->10219 10216->10215 10217->9133 10220 9f5b67 10218->10220 10221 9f5b61 _invalid_parameter_noinfo_noreturn 10218->10221 10219->10218 10222 9f5b6e _invalid_parameter_noinfo_noreturn 10220->10222 10223 9f5b74 10220->10223 10221->10220 10222->10223 10223->10217 10224 9f5b79 _invalid_parameter_noinfo_noreturn 10223->10224 10224->10217 10226 a00f4f 10225->10226 10232 a00f56 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 10225->10232 11060 a03be0 10226->11060 10228 a00f78 10230 9f5b90 4 API calls 10228->10230 10231 a00fa5 10228->10231 10229 9f5b90 4 API calls 10229->10228 10230->10231 10233 a00fd2 10231->10233 10234 9f5b90 4 API calls 10231->10234 10232->10228 10232->10229 10235 a00fff 10233->10235 10236 9f5b90 4 API calls 10233->10236 10234->10233 10237 a0102c 10235->10237 10238 9f5b30 5 API calls 10235->10238 10236->10235 11066 a02f00 10237->11066 10238->10237 10240 a01057 10240->9171 10242 9fd043 10241->10242 10243 9fd034 MoveFileExA 10241->10243 10242->9193 10243->10242 11083 9f24e0 10244->11083 10246 9f254a __stdio_common_vsprintf 10246->9240 10248 9fc23f MultiByteToWideChar 10247->10248 10249 9fc21d 10247->10249 11084 9fcb20 10248->11084 10250 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10249->10250 10252 9fc23b 10250->10252 10252->9277 10295 9f4fac 10294->10295 10296 9f4fba 10294->10296 10297 9f5840 17 API calls 10295->10297 10299 9f5840 17 API calls 10296->10299 10298 9f4fb5 10297->10298 10298->9223 10300 9f4fd1 10299->10300 10300->9223 10316 a02b11 GetLastError 10315->10316 10317 a02b01 SetEvent CloseHandle 10315->10317 10319 9f2740 5 API calls 10316->10319 10318 a02b27 10317->10318 10320 a01200 19 API calls 10318->10320 10319->10318 10321 a02b39 10320->10321 10322 a02b50 44 API calls 10321->10322 10323 9f3bae 10322->10323 10323->9226 10325 9f27d0 5 API calls 10324->10325 10326 a02b96 OpenSCManagerW 10325->10326 10327 a02bb5 10326->10327 10328 a02e9a GetLastError 10326->10328 10329 a02e7d 10327->10329 10330 a02bbf OpenServiceA 10327->10330 10331 9f2740 5 API calls 10328->10331 10332 9f2740 5 API calls 10329->10332 10333 a02e4d GetLastError 10330->10333 10334 a02bde ChangeServiceConfig2W GetTickCount QueryServiceStatusEx 10330->10334 10425 9f63fd 10424->10425 10425->10425 10426 9f5840 17 API calls 10425->10426 10427 9f6418 10426->10427 10428 9f50a0 memcpy 10427->10428 10429 9f3c3a 10428->10429 10429->9218 10430 9f5b90 10429->10430 10431 9f5b9f 10430->10431 10438 9f5bce 10430->10438 10432 9f5ba9 10431->10432 10433 9f5ba3 _invalid_parameter_noinfo_noreturn 10431->10433 10434 9f5bb6 10432->10434 10435 9f5bb0 _invalid_parameter_noinfo_noreturn 10432->10435 10433->10432 10436 9f5bbd _invalid_parameter_noinfo_noreturn 10434->10436 10437 9f5bc3 10434->10437 10435->10434 10436->10437 10437->10438 10439 9f5bc8 _invalid_parameter_noinfo_noreturn 10437->10439 10438->9218 10439->10438 10441 9f5620 18 API calls 10440->10441 10442 9f2b63 _stat64i32 10441->10442 10443 9f2b8a _stat64i32 10442->10443 10444 9f2dfa 10442->10444 10445 9f2bb5 10443->10445 10446 9f2c1b 10443->10446 10447 9f2e19 10444->10447 10450 9f5b90 4 API calls 10444->10450 10449 9fd0a0 5 API calls 10445->10449 10446->10444 10451 9f5120 18 API calls 10446->10451 10448 9f2e3d 10447->10448 10452 9f5b90 4 API calls 10447->10452 10453 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10448->10453 10457 9f2bbf 10449->10457 10450->10447 10454 9f2c4f 10451->10454 10452->10448 10457->10446 10523 9f68dd 10522->10523 10524 9f68d0 DeleteObject 10522->10524 10525 9f68e6 DeleteObject 10523->10525 10526 9f68f3 10523->10526 10524->10523 10525->10526 10527 9f68fc DeleteObject 10526->10527 10528 9f6909 10526->10528 10527->10528 10529 9f691f 10528->10529 10530 9f6912 DeleteObject 10528->10530 10531 9f6928 DeleteObject 10529->10531 10532 9f6935 10529->10532 10530->10529 10531->10532 10533 9f693e DeleteObject 10532->10533 10534 9f694b 10532->10534 10533->10534 10535 9f6954 DeleteObject 10534->10535 10536 9f6961 10534->10536 10535->10536 10537 9f696a DeleteObject 10536->10537 10538 9f6977 10536->10538 10537->10538 10539 a00f40 9 API calls 10538->10539 10540 9f6988 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 10538->10540 10539->10540 10540->9213 10565 a014c0 SHGetSpecialFolderPathA 10548->10565 10551 9f63e0 18 API calls 10552 a010c3 10551->10552 10571 9f6540 10552->10571 10555 9f63e0 18 API calls 10556 a010e8 10555->10556 10557 a010fd 10556->10557 10558 9f5b90 4 API calls 10556->10558 10559 9f5b90 4 API calls 10557->10559 10561 a01121 10557->10561 10558->10557 10559->10561 10560 a01145 10562 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10560->10562 10561->10560 10563 9f5b90 4 API calls 10561->10563 10564 a0115d 10562->10564 10563->10560 10564->9506 10566 a01513 10565->10566 10566->10566 10567 9f5620 18 API calls 10566->10567 10568 a01538 10567->10568 10569 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10568->10569 10570 a010ad 10569->10570 10570->10551 10576 9f5960 10571->10576 10577 9f5975 ?_Xout_of_range@std@@YAXPBD 10576->10577 10578 9f5980 10576->10578 10577->10578 10579 9f5998 ?_Xlength_error@std@@YAXPBD 10578->10579 10580 9f59a3 10578->10580 10579->10580 10581 9f59be 10580->10581 10582 9f59b3 ?_Xlength_error@std@@YAXPBD 10580->10582 10585 9f59e9 10580->10585 10584 9f59cc 10581->10584 10591 9f6170 10581->10591 10582->10581 10584->10585 10586 9f5a12 memcpy 10584->10586 10587 9f50a0 10585->10587 10586->10585 10588 9f50d7 10587->10588 10589 9f50c1 10587->10589 10588->10555 10589->10588 10590 9f50c9 memcpy 10589->10590 10590->10588 10592 9f61ad 10591->10592 10593 9f6212 10592->10593 10594 9f61f1 10592->10594 10600 9f61e6 10592->10600 10597 a05b51 new 4 API calls 10593->10597 10595 9f61fe 10594->10595 10596 9f61f8 ?_Xbad_alloc@std@ 10594->10596 10599 a05b51 new 4 API calls 10595->10599 10596->10595 10597->10600 10598 9f6267 10601 9f5b90 4 API calls 10598->10601 10603 9f6278 10598->10603 10599->10600 10600->10598 10602 9f625c memcpy 10600->10602 10601->10603 10602->10598 10603->10584 10610 a0640d 10604->10610 10606 a0648e _CxxThrowException 10611 a063da 10607->10611 10609 a06471 _CxxThrowException 10610->10606 10611->10609 10623 9fa720 10612->10623 10615 9f5620 18 API calls 10616 9fb1aa 10615->10616 10617 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10616->10617 10618 9faa38 10617->10618 10618->9544 10620 9f5a60 10619->10620 10622 9f5a76 10619->10622 10621 9f5a68 memcpy 10620->10621 10620->10622 10621->10622 10622->9558 10626 9fa6f0 10623->10626 10625 9fa737 10625->10615 10629 9f24e0 10626->10629 10628 9fa705 __stdio_common_vsprintf_s 10628->10625 10629->10628 10631 9f5f41 ?_Xout_of_range@std@@YAXPBD 10630->10631 10632 9f5f4c 10630->10632 10631->10632 10633 9f5f96 memcpy 10632->10633 10634 9f577a 10632->10634 10633->10634 10634->9118 10636 a05b51 new 4 API calls 10635->10636 10637 9ffc27 GetCurrentProcess IsWow64Process 10636->10637 10637->9643 10639 9f5296 10638->10639 10643 9f524e 10638->10643 10640 9f52ad 10639->10640 10641 9f52a2 ?_Xlength_error@std@@YAXPBD 10639->10641 10644 9f52bd 10640->10644 10718 9f5fd0 10640->10718 10641->10640 10643->10639 10645 9f5275 10643->10645 10646 9f52fc memcpy 10644->10646 10647 9f52cf 10644->10647 10648 9f5340 18 API calls 10645->10648 10646->10647 10647->9645 10649 9f5290 10648->10649 10649->9645 10651 9f5d25 ?_Xout_of_range@std@@YAXPBD 10650->10651 10652 9f5d30 10650->10652 10651->10652 10653 9f5d48 ?_Xlength_error@std@@YAXPBD 10652->10653 10654 9f5d53 10652->10654 10653->10654 10655 9f5d66 ?_Xlength_error@std@@YAXPBD 10654->10655 10656 9f5d71 10654->10656 10660 9f5d9c 10654->10660 10655->10656 10657 9f5fd0 12 API calls 10656->10657 10658 9f5d7f 10656->10658 10657->10658 10659 9f5dc9 memcpy 10658->10659 10658->10660 10659->10660 10661 9f5460 10660->10661 10662 9f54b6 10661->10662 10667 9f546e 10661->10667 10663 9f54cf 10662->10663 10664 9f54c4 ?_Xlength_error@std@@YAXPBD 10662->10664 10665 9f54ee 10663->10665 10666 9f54e3 ?_Xlength_error@std@@YAXPBD 10663->10666 10669 9f5511 10663->10669 10664->10663 10668 9f5fd0 12 API calls 10665->10668 10671 9f54fc 10665->10671 10666->10665 10667->10662 10670 9f5495 10667->10670 10668->10671 10669->9651 10673 9f5d10 16 API calls 10670->10673 10671->10669 10672 9f553e memcpy 10671->10672 10672->10669 10674 9f54b0 10673->10674 10674->9651 10676 9f5355 ?_Xout_of_range@std@@YAXPBD 10675->10676 10677 9f5360 10675->10677 10676->10677 10678 9f536e 10677->10678 10679 9f53a8 10677->10679 10680 9f5376 ?_Xout_of_range@std@@YAXPBD 10678->10680 10681 9f5381 10678->10681 10682 9f53bb 10679->10682 10683 9f53b0 ?_Xlength_error@std@@YAXPBD 10679->10683 10680->10681 10733 9f5c60 10681->10733 10684 9f5fd0 12 API calls 10682->10684 10686 9f53cb 10682->10686 10683->10682 10684->10686 10688 9f53e8 10686->10688 10689 9f5415 memcpy 10686->10689 10688->9657 10689->10688 10691 a03b24 10690->10691 10692 9f5340 18 API calls 10691->10692 10693 a03b3b 10692->10693 10694 9f5340 18 API calls 10693->10694 10695 a03b6d 10694->10695 10738 a042f0 10695->10738 10698 a03b9d 10700 a00d59 10698->10700 10701 9f5b30 5 API calls 10698->10701 10699 9f5b30 5 API calls 10699->10698 10702 a013b0 GetWindowsDirectoryA 10700->10702 10701->10700 10703 a0142d 10702->10703 10704 9f5620 18 API calls 10703->10704 10705 a01468 10704->10705 10706 9f5840 17 API calls 10705->10706 10707 a01496 10706->10707 10708 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10707->10708 10709 a00d6c 10708->10709 10709->9662 10709->9664 10709->9667 10711 a0132a 10710->10711 10712 9f5620 18 API calls 10711->10712 10713 a01368 10712->10713 10714 9f5840 17 API calls 10713->10714 10715 a01387 10714->10715 10716 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10715->10716 10717 a00dd1 10716->10717 10717->9670 10717->9672 10717->9675 10719 9f6010 10718->10719 10720 9f605a 10719->10720 10721 9f6054 ?_Xbad_alloc@std@ 10719->10721 10722 9f6049 10719->10722 10724 9f6084 10720->10724 10725 9f6063 10720->10725 10721->10720 10723 9f60db 10722->10723 10731 9f60ce memcpy 10722->10731 10730 9f5b30 5 API calls 10723->10730 10732 9f60ec 10723->10732 10726 a05b51 new 4 API calls 10724->10726 10727 9f606a ?_Xbad_alloc@std@ 10725->10727 10728 9f6070 10725->10728 10726->10722 10727->10728 10729 a05b51 new 4 API calls 10728->10729 10729->10722 10730->10732 10731->10723 10732->10644 10734 9f5c71 ?_Xout_of_range@std@@YAXPBD 10733->10734 10735 9f5c7c 10733->10735 10734->10735 10736 9f539f 10735->10736 10737 9f5cca memcpy 10735->10737 10736->9657 10737->10736 10739 a05b51 new 4 API calls 10738->10739 10740 a03b89 10739->10740 10740->10698 10740->10699 10742 a03437 10741->10742 10743 a03460 10742->10743 10756 a034b0 10742->10756 10743->9730 10747 a03490 10747->9730 10751 9fb768 10748->10751 10749 9fb79e 10750 9f5960 14 API calls 10749->10750 10752 9fb7c1 10750->10752 10751->10749 10813 9f5e80 10751->10813 10754 9f5960 14 API calls 10752->10754 10755 9fb7cf 10754->10755 10755->9741 10792 a03700 10756->10792 10759 a034f0 10760 a03551 10759->10760 10761 a0352a 10759->10761 10763 a03590 10760->10763 10764 a0355d 10760->10764 10795 a03790 10761->10795 10768 a03594 10763->10768 10772 a035ca 10763->10772 10766 a036c6 10764->10766 10767 a03568 10764->10767 10801 a039d0 10766->10801 10770 a03790 5 API calls 10767->10770 10768->10766 10771 a035a2 10768->10771 10774 a0357a 10770->10774 10775 a03790 5 API calls 10771->10775 10777 a035ec 10772->10777 10778 a0363f 10772->10778 10773 a036df 10773->10747 10774->10747 10776 a035b4 10775->10776 10776->10747 10779 a035fb 10777->10779 10780 a0361d 10777->10780 10778->10766 10781 a03662 10778->10781 10782 a03790 5 API calls 10779->10782 10783 a03790 5 API calls 10780->10783 10784 a03671 10781->10784 10785 a03693 10781->10785 10788 a03607 10782->10788 10789 a03629 10783->10789 10786 a03790 5 API calls 10784->10786 10787 a03790 5 API calls 10785->10787 10790 a0367d 10786->10790 10791 a0369f 10787->10791 10788->10747 10789->10747 10790->10747 10791->10747 10793 a05b51 new 4 API calls 10792->10793 10794 a0347f 10793->10794 10794->10759 10796 a037a2 10795->10796 10800 a0353b 10795->10800 10797 a037b9 10796->10797 10798 9f5b90 4 API calls 10796->10798 10799 a037d8 ?_Xlength_error@std@@YAXPBD 10797->10799 10798->10797 10799->10800 10800->10747 10802 a03a17 10801->10802 10803 a03aae 10802->10803 10804 a03a4c 10802->10804 10809 a03740 10803->10809 10807 a03790 5 API calls 10804->10807 10806 a03ab3 10806->10773 10808 a03a5c 10807->10808 10808->10773 10810 a03753 10809->10810 10812 a0375c 10809->10812 10811 9f5b90 4 API calls 10810->10811 10811->10812 10812->10806 10814 9f5e8f ?_Xlength_error@std@@YAXPBD 10813->10814 10815 9f5e9a 10813->10815 10814->10815 10816 9f5ea1 10815->10816 10819 9f5eb5 10815->10819 10817 9f6170 10 API calls 10816->10817 10818 9f5eaa 10817->10818 10818->10749 10820 9f5eef 10819->10820 10821 9f5ed7 memcpy 10819->10821 10822 9f5ee2 10819->10822 10820->10749 10821->10822 10823 9f5b90 4 API calls 10822->10823 10823->10820 10845 a04756 Process32FirstW 10844->10845 10846 a049bf 10844->10846 10847 a049b3 CloseHandle 10845->10847 10855 a0476c 10845->10855 10848 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10846->10848 10847->10846 10849 9fb99b 10848->10849 10849->10155 10849->10156 10850 9f5240 20 API calls 10850->10855 10851 9f5b30 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 10851->10855 10852 a04998 Process32NextW 10852->10847 10852->10855 10854 9f5340 18 API calls 10854->10855 10855->10850 10855->10851 10855->10852 10855->10854 10857 a04d40 26 API calls 10855->10857 10892 a055f0 10855->10892 10897 a05480 10855->10897 10905 a04610 10855->10905 10857->10855 10860 a04b27 10859->10860 10861 a04a28 IsWow64Process 10859->10861 10864 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10860->10864 10862 a04b20 CloseHandle 10861->10862 10863 a04a42 10861->10863 10862->10860 10865 a04a63 10863->10865 10866 a04a6a 10863->10866 10867 a04b3f 10864->10867 10913 a04f20 10865->10913 10936 a050c0 10866->10936 10867->10161 10870 a04a68 10959 9f9fe0 10870->10959 10873 9f4ec0 5 API calls 10874 a04a80 10873->10874 10875 9f5340 18 API calls 10874->10875 10876 a04ab0 10875->10876 10965 a04b50 10876->10965 10879 a04afc 10880 a04b0e 10879->10880 10882 9f5b30 5 API calls 10879->10882 10880->10862 10884 9f5b30 5 API calls 10880->10884 10881 a04ad5 10987 9f5e10 10881->10987 10882->10880 10883 9f5b30 5 API calls 10883->10881 10884->10862 10887 9f959a 10886->10887 10891 9f95d1 10886->10891 10888 9f95b0 10887->10888 10889 a04610 5 API calls 10887->10889 11049 9f95f0 10888->11049 10889->10887 10891->10172 10893 a05602 10892->10893 10894 a05639 10892->10894 10893->10894 10895 a05610 tolower tolower 10893->10895 10894->10855 10895->10893 10896 a05642 10895->10896 10896->10855 10898 a054de 10897->10898 10899 9f5340 18 API calls 10898->10899 10900 a054f2 10899->10900 10901 9f5340 18 API calls 10900->10901 10902 a0551f 10901->10902 10903 9f5340 18 API calls 10902->10903 10904 a05547 10903->10904 10904->10855 10906 a0461f 10905->10906 10908 a04628 10905->10908 10907 9f5b30 5 API calls 10906->10907 10907->10908 10909 a04657 10908->10909 10910 9f5b30 5 API calls 10908->10910 10911 a04684 10909->10911 10912 9f5b30 5 API calls 10909->10912 10910->10909 10911->10852 10912->10911 10991 a05650 10913->10991 10915 a0508b 10916 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10915->10916 10917 a050ad 10916->10917 10917->10870 10919 a04f95 memset 10920 a05650 14 API calls 10919->10920 10921 a04fb0 10920->10921 10921->10915 10922 a04fb8 ReadProcessMemory 10921->10922 10922->10915 10923 a04fe4 memset 10922->10923 10924 a05650 14 API calls 10923->10924 10925 a04fff 10924->10925 10925->10915 10926 a05007 ReadProcessMemory 10925->10926 10926->10915 10927 a0502e 10926->10927 11002 a052b0 10927->11002 10929 a0504a 10930 a05070 10929->10930 10931 9f5e10 memcpy 10929->10931 10932 9f4ec0 5 API calls 10930->10932 10931->10930 10933 a05078 10932->10933 10934 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10933->10934 10935 a05087 10934->10935 10935->10870 10937 a05650 14 API calls 10936->10937 10938 a050eb 10937->10938 10939 a050f3 memset 10938->10939 10940 a0527d 10938->10940 10942 a0510b 10939->10942 10941 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10940->10941 10943 a0529f 10941->10943 10942->10940 10944 a05151 memset 10942->10944 10943->10870 10945 a05650 14 API calls 10944->10945 10946 a0516c 10945->10946 10946->10940 10947 a051b3 memset 10946->10947 10948 a05650 14 API calls 10947->10948 10949 a051ce 10948->10949 10949->10940 10950 a0521a 10949->10950 11039 a05390 10950->11039 10952 a0523c 10953 a05262 10952->10953 10954 9f5e10 memcpy 10952->10954 10955 9f4ec0 5 API calls 10953->10955 10954->10953 10956 a0526a 10955->10956 10957 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10956->10957 10958 a05279 10957->10958 10958->10870 10960 9fa00a 10959->10960 10961 9fa044 10959->10961 10962 9fa01b 10960->10962 10963 9f5b30 5 API calls 10960->10963 10961->10873 10964 9f5e10 memcpy 10962->10964 10963->10962 10964->10961 10966 a04bb3 CommandLineToArgvW 10965->10966 10968 a04c90 LocalFree 10966->10968 10971 a04beb 10966->10971 10969 a04ca9 10968->10969 10970 a04c9f 10968->10970 10974 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10969->10974 10973 9f5b30 5 API calls 10970->10973 10972 a04c83 10971->10972 10975 9f4f00 20 API calls 10971->10975 10972->10968 10973->10969 10976 a04abb 10974->10976 10977 a04c18 10975->10977 10976->10879 10976->10881 10976->10883 10978 9f5c60 2 API calls 10977->10978 10979 a04c2c 10978->10979 10980 a04c3c 10979->10980 10981 9f5340 18 API calls 10979->10981 10982 9f5b30 5 API calls 10980->10982 10983 a04c52 10980->10983 10981->10980 10982->10983 10983->10972 10984 9f5c60 2 API calls 10983->10984 10985 a04c73 10984->10985 10985->10972 10986 9f5340 18 API calls 10985->10986 10986->10972 10988 9f5e20 10987->10988 10990 9f5e38 10987->10990 10989 9f5e28 memcpy 10988->10989 10988->10990 10989->10990 10990->10879 10992 a0565c 10991->10992 10994 a04f4e 10992->10994 11012 a056f0 GetCurrentProcess OpenProcessToken 10992->11012 10994->10915 10994->10919 10996 a0568a 10997 a05699 GetProcAddress 10996->10997 10998 a056aa 10996->10998 10997->10994 10997->10998 10999 a056b3 GetProcAddress 10998->10999 11000 a056c4 10998->11000 10999->10994 10999->11000 11000->10994 11001 a056cd GetProcAddress 11000->11001 11001->10994 11003 a05650 14 API calls 11002->11003 11004 a052f5 11003->11004 11005 a052f9 11004->11005 11019 a04cd0 11004->11019 11005->10929 11008 9f4f00 20 API calls 11009 a0535d 11008->11009 11010 a0536f 11009->11010 11011 9f5b30 5 API calls 11009->11011 11010->10929 11011->11010 11013 a0571e LookupPrivilegeValueW 11012->11013 11014 a0578f 11012->11014 11015 a05786 CloseHandle 11013->11015 11016 a05757 AdjustTokenPrivileges 11013->11016 11017 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11014->11017 11015->11014 11016->11015 11018 a05679 GetModuleHandleW 11017->11018 11018->10994 11018->10996 11020 a04cf2 11019->11020 11021 a04d29 ReadProcessMemory 11019->11021 11022 a04d05 11020->11022 11023 a04cfa ?_Xlength_error@std@@YAXPBD 11020->11023 11021->11008 11026 9f6330 11022->11026 11023->11022 11025 a04d0b memset 11025->11021 11027 9f633a 11026->11027 11028 9f6342 11026->11028 11027->11025 11029 9f634f 11028->11029 11030 9f6349 ?_Xbad_alloc@std@ 11028->11030 11031 9f637d 11029->11031 11032 9f6358 11029->11032 11030->11029 11033 a05b51 new 4 API calls 11031->11033 11034 9f635f ?_Xbad_alloc@std@ 11032->11034 11035 9f6365 11032->11035 11036 9f6383 11033->11036 11034->11035 11037 a05b51 new 4 API calls 11035->11037 11036->11025 11038 9f636b 11037->11038 11038->11025 11040 a05650 14 API calls 11039->11040 11041 a053d5 11040->11041 11042 a053d9 11041->11042 11043 a04cd0 8 API calls 11041->11043 11042->10952 11044 a05410 11043->11044 11045 9f4f00 20 API calls 11044->11045 11046 a05452 11045->11046 11047 a05464 11046->11047 11048 9f5b30 5 API calls 11046->11048 11047->10952 11048->11047 11050 9f9600 _invalid_parameter_noinfo_noreturn 11049->11050 11052 9f9606 11049->11052 11050->11052 11051 9f9640 11051->10891 11052->11051 11053 9f961b 11052->11053 11054 9f9615 _invalid_parameter_noinfo_noreturn 11052->11054 11055 9f9628 11053->11055 11056 9f9622 _invalid_parameter_noinfo_noreturn 11053->11056 11054->11053 11057 9f962f _invalid_parameter_noinfo_noreturn 11055->11057 11058 9f9635 11055->11058 11056->11055 11057->11058 11058->11051 11059 9f963a _invalid_parameter_noinfo_noreturn 11058->11059 11059->11051 11061 a03c17 11060->11061 11062 a03ce3 11061->11062 11063 9f5b30 5 API calls 11061->11063 11064 a03d10 11062->11064 11065 9f5b30 5 API calls 11062->11065 11063->11062 11064->10232 11065->11064 11067 a02f33 11066->11067 11072 a02f77 11066->11072 11068 a02f37 11067->11068 11067->11072 11074 9ffc50 11068->11074 11069 a02f9c 11069->10240 11072->11069 11079 a03010 11072->11079 11077 9ffc66 11074->11077 11078 9ffcbd 11074->11078 11075 9ffc50 4 API calls 11075->11077 11076 9f5b90 4 API calls 11076->11077 11077->11075 11077->11076 11077->11078 11078->10240 11082 a03029 11079->11082 11080 9f5b90 4 API calls 11081 a032ae 11080->11081 11081->11072 11082->11080 11082->11081 11083->10246 11085 9fcb2f ?_Xlength_error@std@@YAXPBD 11084->11085 11086 9fcb3a 11084->11086 11085->11086 11087 9fcb4d 11086->11087 11088 9fcb42 ?_Xlength_error@std@@YAXPBD 11086->11088 11089 9f5fd0 12 API calls 11087->11089 11090 9fc284 MultiByteToWideChar 11087->11090 11088->11087 11089->11090 11096 9f7254 11097 9f72d7 11096->11097 11098 9f77e6 11096->11098 11101 9f72dd 11097->11101 11102 9f7379 GetWindowLongW SetWindowLongW GetParent 11097->11102 11099 9f788c 11098->11099 11100 9f77f1 11098->11100 11103 9f7896 KiUserCallbackDispatcher 11099->11103 11104 9f78a5 11099->11104 11107 9f77fa GetDlgItem GetDlgItem GetDlgItem GetDlgItem 11100->11107 11108 9f77d1 11100->11108 11109 9f7314 7 API calls 11101->11109 11110 9f72e2 11101->11110 11105 9f739c GetDesktopWindow 11102->11105 11106 9f73a2 7 API calls 11102->11106 11103->11108 11104->11108 11120 9f5720 16 API calls 11104->11120 11105->11106 11148 9f9510 11106->11148 11112 9f7878 SetTextColor 11107->11112 11127 9f7838 11107->11127 11117 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11108->11117 11109->11108 11113 9f72e7 11110->11113 11114 9f7304 DefWindowProcW 11110->11114 11115 9f7865 SetBkMode GetStockObject 11112->11115 11113->11108 11118 9f72f0 SetWindowLongW 11113->11118 11114->11108 11115->11108 11121 9f7903 11117->11121 11118->11108 11119 9f4f00 20 API calls 11122 9f74b7 SetDlgItemTextW SetDlgItemTextW 11119->11122 11123 9f78e1 11120->11123 11125 9f4f00 20 API calls 11122->11125 11208 9f4b30 11123->11208 11124 9f785f 11124->11115 11128 9f74fe SetDlgItemTextW SetDlgItemTextW 11125->11128 11127->11112 11127->11124 11152 9f4850 11128->11152 11130 9f774e CreateWindowExW 11184 9f5ac0 11130->11184 11132 9fc1f0 22 API calls 11133 9f756b CreateWindowExW 11132->11133 11134 9f75b5 CreateWindowExW 11133->11134 11135 9f75a4 SendMessageW 11133->11135 11136 9f75e6 SendMessageW 11134->11136 11145 9f7548 11134->11145 11135->11134 11136->11145 11137 9f778b 11138 9f77a8 11137->11138 11139 9f5b30 5 API calls 11137->11139 11138->11108 11140 9f5b30 5 API calls 11138->11140 11139->11138 11140->11108 11142 9f5b30 5 API calls 11142->11145 11144 9f5a50 memcpy 11144->11145 11145->11130 11145->11132 11145->11142 11145->11144 11146 9f77db ?_Xlength_error@std@@YAXPBD 11145->11146 11147 9f5b90 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 11145->11147 11188 9fc0f0 11145->11188 11203 9f96c0 11145->11203 11146->11098 11147->11145 11149 9f742c 8 API calls 11148->11149 11151 9f9534 11148->11151 11149->11119 11150 9f5b90 4 API calls 11150->11151 11151->11149 11151->11150 11228 9f6300 11152->11228 11155 9f4afc CoUninitialize 11157 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11155->11157 11156 9f48d0 CoInitializeSecurity 11158 9f48ec 11156->11158 11159 9f48f7 CoCreateInstance 11156->11159 11160 9f4b1c 11157->11160 11158->11155 11158->11159 11159->11155 11161 9f491e 11159->11161 11160->11145 11231 9f2610 11161->11231 11163 9f492e 11236 9f26c0 11163->11236 11165 9f4969 11166 9f4ae1 11165->11166 11167 9f4971 CoSetProxyBlanket 11165->11167 11166->11155 11167->11166 11168 9f4990 11167->11168 11240 9f2570 11168->11240 11170 9f49ab 11171 9f2570 17 API calls 11170->11171 11172 9f49c1 11171->11172 11173 9f26c0 SysFreeString 11172->11173 11174 9f49fa 11173->11174 11175 9f26c0 SysFreeString 11174->11175 11179 9f4a06 11175->11179 11176 9f4f00 20 API calls 11176->11179 11177 9fc0f0 21 API calls 11177->11179 11179->11166 11179->11176 11179->11177 11180 9f4b20 ?_Xlength_error@std@@YAXPBD 11179->11180 11181 9f4fe0 4 API calls 11179->11181 11182 9f4ec0 5 API calls 11179->11182 11247 9f6670 11179->11247 11181->11179 11183 9f4ac1 VariantClear 11182->11183 11183->11179 11185 9f5b21 11184->11185 11187 9f5ade 11184->11187 11185->11137 11186 9f5b90 4 API calls 11186->11187 11187->11185 11187->11186 11189 9fc11d 11188->11189 11190 9fc13c WideCharToMultiByte 11188->11190 11191 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11189->11191 11269 9fcdc0 11190->11269 11192 9fc138 11191->11192 11192->11145 11197 9f50a0 memcpy 11198 9fc1c1 11197->11198 11199 9fc1d5 11198->11199 11200 9f5b90 4 API calls 11198->11200 11201 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11199->11201 11200->11199 11202 9fc1e4 11201->11202 11202->11145 11278 9f9650 11203->11278 11205 9f974b 11205->11145 11207 9f5720 16 API calls 11207->11205 11209 9f4b8f 11208->11209 11210 9f5620 18 API calls 11209->11210 11211 9f4ba4 11210->11211 11212 9f5720 16 API calls 11211->11212 11213 9f4bd7 11212->11213 11281 9fc330 11213->11281 11216 9f5240 20 API calls 11217 9f4c02 11216->11217 11218 9f5340 18 API calls 11217->11218 11219 9f4c26 11218->11219 11289 9f4c80 11219->11289 11222 9f4c40 11224 9f4c66 11222->11224 11225 9f5b90 4 API calls 11222->11225 11223 9f5b30 5 API calls 11223->11222 11226 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11224->11226 11225->11224 11227 9f4c7b 11226->11227 11227->11108 11229 a05b51 new 4 API calls 11228->11229 11230 9f48ae CoInitializeEx 11229->11230 11230->11155 11230->11156 11232 a05b51 new 4 API calls 11231->11232 11233 9f263e 11232->11233 11234 9f267e _com_issue_error 11233->11234 11235 9f2651 SysAllocString 11233->11235 11234->11163 11235->11234 11237 9f26ce 11236->11237 11239 9f26f0 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 11236->11239 11238 9f26e3 SysFreeString 11237->11238 11237->11239 11238->11239 11239->11165 11241 a05b51 new 4 API calls 11240->11241 11242 9f259e 11241->11242 11243 9f25b1 11242->11243 11246 9f25d9 _com_issue_error 11242->11246 11252 a057d0 11243->11252 11246->11170 11248 9f6300 4 API calls 11247->11248 11249 9f667f 11248->11249 11250 9f6690 11249->11250 11251 9f50a0 memcpy 11249->11251 11250->11179 11251->11250 11255 a05814 _com_issue_error 11252->11255 11266 a0580d _com_issue_error 11252->11266 11253 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11256 9f25d5 11253->11256 11254 a05840 MultiByteToWideChar 11257 a05859 GetLastError 11254->11257 11258 a05863 _com_issue_error 11254->11258 11255->11254 11256->11246 11257->11258 11259 a05899 malloc 11258->11259 11260 a05883 _com_issue_error __alloca_probe_16 11258->11260 11259->11260 11261 a058d9 MultiByteToWideChar 11260->11261 11262 a05916 SysAllocString 11261->11262 11263 a058ed 11261->11263 11262->11266 11267 a05927 free 11262->11267 11264 a058f5 free 11263->11264 11265 a058fe GetLastError 11263->11265 11264->11265 11268 a05908 _com_issue_error 11265->11268 11266->11253 11267->11266 11268->11262 11270 9fcdcf ?_Xlength_error@std@@YAXPBD 11269->11270 11271 9fcdda 11269->11271 11270->11271 11272 9fcddf ?_Xlength_error@std@@YAXPBD 11271->11272 11273 9fcdea 11271->11273 11272->11273 11274 9f6170 10 API calls 11273->11274 11275 9fcdf8 11273->11275 11274->11275 11276 9fc184 WideCharToMultiByte 11275->11276 11277 9fce4a memset 11275->11277 11276->11197 11277->11276 11279 a05b51 new 4 API calls 11278->11279 11280 9f965a 11279->11280 11280->11205 11280->11207 11282 9fc3bc 11281->11282 11283 9fc3fa 11282->11283 11285 9f5b90 4 API calls 11282->11285 11284 9fc41e 11283->11284 11286 9f5b90 4 API calls 11283->11286 11287 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11284->11287 11285->11283 11286->11284 11288 9f4be2 11287->11288 11288->11216 11290 9f27d0 5 API calls 11289->11290 11291 9f4cc3 11290->11291 11311 9f6570 11291->11311 11294 9f5340 18 API calls 11295 9f4d09 11294->11295 11296 9f5240 20 API calls 11295->11296 11297 9f4d3d 11296->11297 11319 9f9b90 GetCurrentProcessId ProcessIdToSessionId 11297->11319 11300 9f4d4f CloseHandle 11302 9f4d7a 11300->11302 11301 9f4d58 ShellExecuteW 11301->11302 11303 9f27d0 5 API calls 11302->11303 11304 9f4d8e 11303->11304 11305 9f4da3 11304->11305 11306 9f5b30 5 API calls 11304->11306 11307 9f4dc9 11305->11307 11308 9f5b30 5 API calls 11305->11308 11306->11305 11309 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11307->11309 11308->11307 11310 9f4c2b 11309->11310 11310->11222 11310->11223 11313 9f65c6 11311->11313 11312 9f65fa 11314 9f5460 19 API calls 11312->11314 11313->11312 11365 9f5be0 11313->11365 11316 9f6621 11314->11316 11317 9f5d10 16 API calls 11316->11317 11318 9f4cd2 11317->11318 11318->11294 11320 9f9bef GetLastError 11319->11320 11321 9f9c0d WTSQuerySessionInformationW 11319->11321 11322 9f2740 5 API calls 11320->11322 11323 9f9c3a GetLastError 11321->11323 11326 9f9c5a 11321->11326 11324 9f9c05 11322->11324 11325 9f2740 5 API calls 11323->11325 11328 9f9ee1 11324->11328 11330 9f5b30 5 API calls 11324->11330 11351 9f9c50 11325->11351 11327 9f5240 20 API calls 11326->11327 11329 9f9c89 WTSFreeMemory 11327->11329 11331 9f9f07 11328->11331 11336 9f5b30 5 API calls 11328->11336 11333 9f9cb8 11329->11333 11334 9f9c98 GetLastError 11329->11334 11330->11328 11332 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11331->11332 11337 9f4d48 11332->11337 11339 9f5340 18 API calls 11333->11339 11338 9f2740 5 API calls 11334->11338 11335 9f5b30 5 API calls 11335->11324 11336->11331 11337->11300 11337->11301 11338->11351 11340 9f9cdc 11339->11340 11381 9f9910 memset CreateToolhelp32Snapshot 11340->11381 11343 9f9d0b OpenProcess 11345 9f9d3f OpenProcessToken 11343->11345 11346 9f9d1f GetLastError 11343->11346 11344 9f9ceb GetLastError 11347 9f2740 5 API calls 11344->11347 11349 9f9d8b CloseHandle DuplicateTokenEx 11345->11349 11350 9f9d64 GetLastError 11345->11350 11348 9f2740 5 API calls 11346->11348 11347->11351 11348->11351 11353 9f9dd8 CloseHandle memset 11349->11353 11354 9f9db3 GetLastError 11349->11354 11352 9f2740 5 API calls 11350->11352 11351->11324 11351->11335 11355 9f9d7a CloseHandle 11352->11355 11357 9f9e23 11353->11357 11356 9f2740 5 API calls 11354->11356 11355->11351 11358 9f9dc9 CloseHandle 11356->11358 11359 9f9e4b CreateProcessWithTokenW 11357->11359 11360 9f9e3a wmemcpy_s 11357->11360 11358->11351 11361 9f9e98 11359->11361 11362 9f9e81 11359->11362 11360->11359 11364 9f9e9e CloseHandle 11361->11364 11362->11361 11363 9f9e8a CloseHandle 11362->11363 11363->11361 11364->11351 11366 9f5bef ?_Xlength_error@std@@YAXPBD 11365->11366 11367 9f5bfa 11365->11367 11366->11367 11368 9f5bff 11367->11368 11371 9f5c12 11367->11371 11369 9f5fd0 12 API calls 11368->11369 11370 9f5c08 11369->11370 11370->11312 11372 9f5c37 11371->11372 11375 9f51d0 11371->11375 11372->11312 11376 9f51e0 11375->11376 11380 9f5206 11375->11380 11377 9f51ed memcpy 11376->11377 11378 9f51fb 11376->11378 11376->11380 11377->11378 11379 9f5b30 5 API calls 11378->11379 11379->11380 11380->11312 11382 9f9b5f 11381->11382 11383 9f9986 Process32FirstW 11381->11383 11384 9f9b71 11382->11384 11387 9f5b30 5 API calls 11382->11387 11385 9f9b57 CloseHandle 11383->11385 11403 9f99a2 11383->11403 11388 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11384->11388 11385->11382 11386 9f99d0 ProcessIdToSessionId 11389 9f9afe Process32NextW 11386->11389 11386->11403 11387->11384 11390 9f9b8b 11388->11390 11389->11386 11392 9f9b19 11389->11392 11390->11343 11390->11344 11391 9f99f1 OpenProcess 11393 9f9a0e OpenProcessToken 11391->11393 11391->11403 11396 9f5b30 5 API calls 11392->11396 11397 9f9b2b 11392->11397 11394 9f9a2c CloseHandle 11393->11394 11395 9f9a34 11393->11395 11394->11403 11405 9f9780 11395->11405 11396->11397 11398 9f9b51 11397->11398 11400 9f5b30 5 API calls 11397->11400 11398->11385 11400->11398 11401 9f9a46 CloseHandle CloseHandle 11401->11403 11402 9f5340 18 API calls 11402->11403 11403->11386 11403->11389 11403->11391 11403->11392 11403->11402 11433 9fc6e0 11403->11433 11406 9f97be GetTokenInformation 11405->11406 11407 9f9811 11405->11407 11408 9f9828 memset memset LookupAccountSidW 11406->11408 11409 9f97d2 GetLastError 11406->11409 11410 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11407->11410 11412 9f988e 11408->11412 11413 9f987a 11408->11413 11409->11407 11414 9f97dd malloc 11409->11414 11411 9f9824 11410->11411 11411->11401 11416 9f4f00 20 API calls 11412->11416 11415 9f27d0 5 API calls 11413->11415 11414->11407 11417 9f97f0 GetTokenInformation 11414->11417 11431 9f9889 free 11415->11431 11418 9f989c 11416->11418 11417->11408 11419 9f9807 free 11417->11419 11421 9f9fe0 6 API calls 11418->11421 11419->11407 11423 9f98a6 11421->11423 11422 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11424 9f990b 11422->11424 11425 9f98ba 11423->11425 11426 9f5b30 5 API calls 11423->11426 11424->11401 11427 9f4f00 20 API calls 11425->11427 11426->11425 11428 9f98cb 11427->11428 11429 9f9fe0 6 API calls 11428->11429 11430 9f98d5 11429->11430 11430->11431 11432 9f5b30 5 API calls 11430->11432 11431->11422 11432->11431 11434 9fc74d 11433->11434 11435 9fc76c 11433->11435 11436 9fc752 towlower 11434->11436 11437 9fc7a7 towlower 11435->11437 11438 9fc7c1 11435->11438 11436->11435 11436->11436 11437->11437 11437->11438 11439 9f5b30 5 API calls 11438->11439 11440 9fc83b 11438->11440 11439->11440 11441 9fc863 11440->11441 11442 9f5b30 5 API calls 11440->11442 11441->11403 11442->11441 11443 9fd2b0 11444 9fd2bb ftell 11443->11444 11445 9fd2b7 11443->11445 11446 9f69a0 11447 9f6a0b 11446->11447 11448 9f6b89 11446->11448 11451 9f6b74 SetWindowLongW 11447->11451 11452 9f6a11 11447->11452 11449 9f6b95 11448->11449 11450 9f6e30 GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW SendMessageW 11448->11450 11453 9f6b9e 11449->11453 11454 9f6cd9 11449->11454 11529 9f4550 FindResourceW 11450->11529 11490 9f6b18 11451->11490 11461 9f6aef DefWindowProcW 11452->11461 11462 9f6afe GetClientRect RedrawWindow 11452->11462 11463 9f6a2b CreateCompatibleDC 11452->11463 11452->11490 11458 9f6ba7 10 API calls 11453->11458 11453->11490 11459 9f6d8e 11454->11459 11460 9f6ce7 11454->11460 11456 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11464 9f7234 11456->11464 11457 9f6e94 11465 9f4550 17 API calls 11457->11465 11466 9f6c63 11458->11466 11469 9f6d9c FindResourceW LoadResource DialogBoxIndirectParamW 11459->11469 11459->11490 11467 9f4850 54 API calls 11460->11467 11461->11490 11462->11490 11523 9f47b0 LoadBitmapW 11463->11523 11472 9f6ea3 11465->11472 11470 9f6cb7 SetTextColor 11466->11470 11475 9f6cbe 11466->11475 11473 9f6cf7 11467->11473 11471 9f6dde EndDialog 11469->11471 11469->11490 11470->11475 11630 9f47d0 11471->11630 11477 9f4550 17 API calls 11472->11477 11478 9f6d34 KiUserCallbackDispatcher FindResourceW LoadResource DialogBoxIndirectParamW 11473->11478 11479 9f6d03 FindResourceW LoadResource DialogBoxIndirectParamW 11473->11479 11474 9f6a3f 6 API calls 11524 9f4650 GetDC GdipCreateFromHDC 11474->11524 11481 9f6ccc GetStockObject 11475->11481 11482 9f6cc3 SetBkMode 11475->11482 11484 9f6eb2 22 API calls 11477->11484 11485 9f5ac0 4 API calls 11478->11485 11479->11478 11481->11490 11482->11481 11489 9f4f00 20 API calls 11484->11489 11485->11490 11488 9f4fe0 4 API calls 11492 9f6dfd 11488->11492 11493 9f704d 11489->11493 11490->11456 11492->11490 11495 9f47d0 16 API calls 11492->11495 11494 9f5460 19 API calls 11493->11494 11496 9f7063 11494->11496 11497 9f6e0d 11495->11497 11498 9f4f00 20 API calls 11496->11498 11501 9fd380 42 API calls 11497->11501 11500 9f7070 11498->11500 11502 9f4f00 20 API calls 11500->11502 11503 9f6e23 11501->11503 11504 9f7081 11502->11504 11505 9f4fe0 4 API calls 11503->11505 11506 9f5460 19 API calls 11504->11506 11507 9f6e2b 11505->11507 11508 9f7094 11506->11508 11507->11490 11546 9f9270 11508->11546 11514 9f4ec0 5 API calls 11515 9f7174 6 API calls 11514->11515 11516 9f4ec0 5 API calls 11515->11516 11517 9f7200 11516->11517 11518 9f4ec0 5 API calls 11517->11518 11519 9f7208 11518->11519 11520 9f4ec0 5 API calls 11519->11520 11521 9f7210 11520->11521 11522 9f4ec0 5 API calls 11521->11522 11522->11490 11523->11474 11525 9f4684 GdipDrawImageI GdipDeleteGraphics 11524->11525 11527 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11525->11527 11528 9f46ac GetDlgItem 11527->11528 11619 9f46b0 GetWindowRect GdipGetImageWidth 11528->11619 11530 9f457e SizeofResource LoadResource 11529->11530 11531 9f4633 11529->11531 11530->11531 11532 9f4599 LockResource 11530->11532 11533 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11531->11533 11534 9f45a7 GlobalAlloc 11532->11534 11535 9f4620 11532->11535 11536 9f4641 11533->11536 11534->11535 11538 9f45b8 GlobalLock 11534->11538 11537 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11535->11537 11536->11457 11539 9f462f 11537->11539 11540 9f4619 GlobalFree 11538->11540 11541 9f45c3 memcpy CreateStreamOnHGlobal 11538->11541 11539->11457 11540->11535 11542 9f45e3 11541->11542 11543 9f4612 GlobalUnlock 11541->11543 11633 9f2920 GdipAlloc 11542->11633 11543->11540 11545 9f45eb 11545->11543 11547 9f92cb 11546->11547 11548 9f5240 20 API calls 11547->11548 11549 9f92e3 11548->11549 11550 9f5460 19 API calls 11549->11550 11551 9f92ff 11550->11551 11552 9f5460 19 API calls 11551->11552 11553 9f930d 11552->11553 11554 9f5460 19 API calls 11553->11554 11555 9f931b 11554->11555 11556 9f5460 19 API calls 11555->11556 11557 9f9329 11556->11557 11558 9f5460 19 API calls 11557->11558 11559 9f933a 11558->11559 11560 9f5460 19 API calls 11559->11560 11561 9f9348 11560->11561 11562 9f5460 19 API calls 11561->11562 11563 9f9356 11562->11563 11564 9f5460 19 API calls 11563->11564 11565 9f9364 11564->11565 11566 9f5460 19 API calls 11565->11566 11567 9f9372 11566->11567 11568 9f5460 19 API calls 11567->11568 11569 9f9380 11568->11569 11570 9f5460 19 API calls 11569->11570 11571 9f938e 11570->11571 11572 9f5460 19 API calls 11571->11572 11573 9f939c 11572->11573 11574 9f5460 19 API calls 11573->11574 11575 9f93aa 11574->11575 11576 9f5460 19 API calls 11575->11576 11577 9f93bb 11576->11577 11578 9f5460 19 API calls 11577->11578 11579 9f93cc 11578->11579 11580 9f5460 19 API calls 11579->11580 11581 9f93dd 11580->11581 11582 9f5460 19 API calls 11581->11582 11583 9f93ee 11582->11583 11584 9f5460 19 API calls 11583->11584 11585 9f93ff 11584->11585 11586 9f5460 19 API calls 11585->11586 11587 9f9410 11586->11587 11588 9f5460 19 API calls 11587->11588 11589 9f9421 11588->11589 11590 9f5460 19 API calls 11589->11590 11591 9f9432 11590->11591 11592 9f5460 19 API calls 11591->11592 11593 9f9443 11592->11593 11594 9f5460 19 API calls 11593->11594 11595 9f9454 11594->11595 11596 9f5460 19 API calls 11595->11596 11597 9f9465 11596->11597 11598 9f5460 19 API calls 11597->11598 11599 9f9476 11598->11599 11600 9f5460 19 API calls 11599->11600 11601 9f9487 11600->11601 11602 9f5460 19 API calls 11601->11602 11603 9f9498 11602->11603 11604 9f5460 19 API calls 11603->11604 11605 9f94a9 11604->11605 11606 9f5460 19 API calls 11605->11606 11607 9f94ba 11606->11607 11608 9f5460 19 API calls 11607->11608 11609 9f94cb 11608->11609 11610 9f5460 19 API calls 11609->11610 11611 9f94dc 11610->11611 11612 9f5460 19 API calls 11611->11612 11613 9f94ed 11612->11613 11614 9f5460 19 API calls 11613->11614 11615 9f709f 10 API calls 11614->11615 11616 9f4810 11615->11616 11617 9f5340 18 API calls 11616->11617 11618 9f4843 SetDlgItemTextW 11617->11618 11618->11514 11620 9f46ed 11619->11620 11621 9f46f0 GdipGetImageHeight 11619->11621 11620->11621 11622 9f4716 GetDC GdipCreateFromHDC GdipGetImageHeight 11621->11622 11623 9f4713 11621->11623 11624 9f4757 GdipGetImageWidth 11622->11624 11625 9f4754 11622->11625 11623->11622 11626 9f4778 GdipDrawImageRectI GdipDeleteGraphics 11624->11626 11627 9f4775 11624->11627 11625->11624 11628 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11626->11628 11627->11626 11629 9f47a1 GetDlgItem SendMessageW 11628->11629 11629->11490 11631 9f5720 16 API calls 11630->11631 11632 9f4802 11631->11632 11632->11488 11634 9f297b 11633->11634 11635 9f2942 GdipCreateBitmapFromStream 11633->11635 11636 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11634->11636 11637 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11635->11637 11638 9f2989 11636->11638 11639 9f2977 11637->11639 11638->11545 11639->11545 11640 9f8220 11641 9f842f 11640->11641 11642 9f825a 11640->11642 11643 9f85df GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW SendMessageW 11641->11643 11644 9f843a 11641->11644 11645 9f840b SetWindowLongW 11642->11645 11646 9f8260 11642->11646 11651 9f4550 17 API calls 11643->11651 11647 9f8523 11644->11647 11648 9f8443 11644->11648 11650 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11645->11650 11649 9f8269 11646->11649 11669 9f8389 11646->11669 11653 9f857f 11647->11653 11654 9f852d EndDialog FindResourceW LoadResource DialogBoxIndirectParamW 11647->11654 11655 9f844c 8 API calls 11648->11655 11656 9f85c9 11648->11656 11657 9f826e 11649->11657 11658 9f8296 8 API calls 11649->11658 11659 9f8429 11650->11659 11652 9f8643 11651->11652 11661 9f4550 17 API calls 11652->11661 11653->11656 11664 9f8589 EndDialog CreateEventW 11653->11664 11662 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11654->11662 11663 9f84b6 11655->11663 11665 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11656->11665 11657->11656 11666 9f8277 DefWindowProcW 11657->11666 11660 9f4650 9 API calls 11658->11660 11667 9f8330 GetDlgItem 11660->11667 11668 9f8652 11661->11668 11670 9f8579 11662->11670 11673 9f84f1 SetTextColor 11663->11673 11678 9f84fb SetBkMode GetStockObject 11663->11678 11671 9f85a8 SetEvent 11664->11671 11672 9f85c2 CloseHandle 11664->11672 11674 9f85d9 11665->11674 11675 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11666->11675 11676 9f46b0 14 API calls 11667->11676 11677 9f4550 17 API calls 11668->11677 11669->11656 11679 9f83e5 11669->11679 11680 9f27d0 5 API calls 11671->11680 11672->11656 11673->11678 11681 9f8290 11675->11681 11682 9f8345 GetDlgItem 11676->11682 11683 9f8661 11677->11683 11685 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11678->11685 11691 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11679->11691 11684 9f85bf 11680->11684 11686 9f46b0 14 API calls 11682->11686 11687 9f4550 17 API calls 11683->11687 11684->11672 11688 9f851d 11685->11688 11689 9f835a GetDlgItem 11686->11689 11690 9f8670 20 API calls 11687->11690 11692 9f46b0 14 API calls 11689->11692 11693 9f4810 18 API calls 11690->11693 11694 9f8405 11691->11694 11695 9f836f GetDlgItem 11692->11695 11696 9f87a9 SetDlgItemTextW 11693->11696 11697 9f46b0 14 API calls 11695->11697 11700 9f4ec0 5 API calls 11696->11700 11699 9f8384 11697->11699 11702 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11699->11702 11701 9f87c3 GetDesktopWindow GetWindowRect GetWindowRect MoveWindow 11700->11701 11701->11699 11703 9f882d 11702->11703 11704 9f7950 11705 9f7b8a 11704->11705 11706 9f79ba 11704->11706 11707 9f7f4d GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW SendMessageW 11705->11707 11708 9f7b95 11705->11708 11709 9f7b75 SetWindowLongW 11706->11709 11710 9f79c0 11706->11710 11713 9f4550 17 API calls 11707->11713 11711 9f7b9e 11708->11711 11712 9f7c7b GetDlgItem GetDlgItem IsWindowVisible 11708->11712 11734 9f7ada 11709->11734 11714 9f7adf KillTimer 11710->11714 11715 9f79c9 11710->11715 11716 9f7ba7 6 API calls 11711->11716 11711->11734 11721 9f7cae ShowWindow 11712->11721 11722 9f7cbd ShowWindow 11712->11722 11717 9f7fb1 11713->11717 11714->11734 11719 9f79ce 11715->11719 11720 9f79e7 8 API calls 11715->11720 11742 9f7c1c 11716->11742 11725 9f4550 17 API calls 11717->11725 11718 a05b3b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11726 9f8208 11718->11726 11727 9f79d7 DefWindowProcW 11719->11727 11719->11734 11724 9f4650 9 API calls 11720->11724 11723 9f7cca ShowWindow 11721->11723 11722->11723 11728 a01200 19 API calls 11723->11728 11729 9f7a86 GetDlgItem 11724->11729 11730 9f7fc0 11725->11730 11727->11734 11732 9f7ce6 11728->11732 11733 9f46b0 14 API calls 11729->11733 11735 9f4550 17 API calls 11730->11735 11731 9f7c53 SetTextColor 11736 9f7c60 SetBkMode GetStockObject 11731->11736 11737 a01200 19 API calls 11732->11737 11738 9f7a9b GetDlgItem 11733->11738 11734->11718 11739 9f7fcf 11735->11739 11736->11734 11740 9f7d01 11737->11740 11741 9f46b0 14 API calls 11738->11741 11743 9f4550 17 API calls 11739->11743 11744 a01200 19 API calls 11740->11744 11745 9f7ab0 GetDlgItem 11741->11745 11742->11731 11742->11736 11746 9f7fde 11743->11746 11747 9f7d16 11744->11747 11748 9f46b0 14 API calls 11745->11748 11749 9f4550 17 API calls 11746->11749 11750 a01200 19 API calls 11747->11750 11751 9f7ac5 GetDlgItem 11748->11751 11752 9f7fed 20 API calls 11749->11752 11754 9f7d2b 11750->11754 11755 9f46b0 14 API calls 11751->11755 11753 9f4810 18 API calls 11752->11753 11756 9f8152 SetDlgItemTextW 11753->11756 11757 a01200 19 API calls 11754->11757 11755->11734 11760 9f4ec0 5 API calls 11756->11760 11759 9f7d40 11757->11759 11761 9f4f00 20 API calls 11759->11761 11762 9f816e GetDesktopWindow GetWindowRect GetWindowRect MoveWindow SetTimer 11760->11762 11763 9f7d60 11761->11763 11764 9f29d0 47 API calls 11762->11764 11765 a046b0 40 API calls 11763->11765 11764->11734 11766 9f7d6f 11765->11766 11767 9f4ec0 5 API calls 11766->11767 11768 9f7d77 11767->11768 11769 9f7dab _stat64i32 11768->11769 11770 9f7da4 11768->11770 11771 9f7dda _stat64i32 11769->11771 11772 9f7f10 11769->11772 11777 9f9590 10 API calls 11770->11777 11771->11772 11773 9f7e03 _stat64i32 11771->11773 11774 9f9590 10 API calls 11772->11774 11773->11772 11775 9f7e23 _stat64i32 11773->11775 11776 9f7f18 11774->11776 11775->11772 11778 9f7e43 _stat64i32 11775->11778 11779 9f4fe0 4 API calls 11776->11779 11780 9f7edb 11777->11780 11778->11772 11781 9f7e63 11778->11781 11782 9f7f20 11779->11782 11783 9f4fe0 4 API calls 11780->11783 11781->11772 11784 9f7e77 KillTimer KiUserCallbackDispatcher FindResourceW LoadResource DialogBoxIndirectParamW 11781->11784 11785 9f4fe0 4 API calls 11782->11785 11786 9f7ee3 11783->11786 11784->11770 11788 9f7f28 11785->11788 11787 9f4fe0 4 API calls 11786->11787 11789 9f7eeb 11787->11789 11790 9f4fe0 4 API calls 11788->11790 11792 9f4fe0 4 API calls 11789->11792 11791 9f7f30 11790->11791 11793 9f4fe0 4 API calls 11791->11793 11794 9f7ef3 11792->11794 11795 9f7f3b 11793->11795 11796 9f4fe0 4 API calls 11794->11796 11797 9f4fe0 4 API calls 11795->11797 11798 9f7efe 11796->11798 11797->11734 11799 9f4fe0 4 API calls 11798->11799 11799->11734 11800 9fd170 11801 9fd17a fclose 11800->11801 11802 9fd184 11800->11802 11801->11802 11803 9fd260 11804 9fd26d 11803->11804 11805 9fd29e 11804->11805 11809 9fd2d0 11804->11809 11806 9fd287 11807 9fd2d0 fseek 11806->11807 11807->11805 11810 9fd2da 11809->11810 11811 9fd2e0 fseek 11809->11811 11810->11806 11811->11806

                                                                            Executed Functions

                                                                            Function 009F2E60 Relevance: 185.3, APIs: 64, Strings: 41, Instructions: 1515registrystringwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 009F2E99
                                                                              • Part of subcall function 00A05B51: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,009F608A,?,6D285D9C,?,?,?), ref: 00A05B78
                                                                              • Part of subcall function 009FA870: GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,debug_antivirus,0000000F,009F2EC0,?,6D285D9C,?), ref: 009FA98A
                                                                              • Part of subcall function 009FA870: _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C), ref: 009FA9A2
                                                                              • Part of subcall function 009FA870: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009FA9AF
                                                                            • new.LIBCMT ref: 009F2ECD
                                                                              • Part of subcall function 00A05B51: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,009F608A,?,6D285D9C,?,?,?), ref: 00A05B59
                                                                              • Part of subcall function 009FBC50: new.LIBCMT ref: 009FBCAD
                                                                              • Part of subcall function 009FBC50: InitializeCriticalSection.KERNEL32(00000004), ref: 009FBCC4
                                                                              • Part of subcall function 009F27D0: new.LIBCMT ref: 009F2802
                                                                            • GetCurrentProcessId.KERNEL32(?), ref: 009F2F12
                                                                            • ProcessIdToSessionId.KERNEL32(00000000), ref: 009F2F19
                                                                            • GetCommandLineW.KERNEL32 ref: 009F2F6F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009F2F98
                                                                            • ExitProcess.KERNEL32 ref: 009F2FA0
                                                                            • memset.VCRUNTIME140(00000000,00000000,?), ref: 009F3037
                                                                            • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 009F3049
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,00A0A6D0), ref: 009F305A
                                                                            • Sleep.KERNELBASE(000007D0), ref: 009F307B
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A6D0), ref: 009F317C
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position), ref: 009F321C
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F3292
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F32B2
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000201,?), ref: 009F332C
                                                                            • RegQueryValueExA.ADVAPI32(?,?,?,?,LIC,00000000,?), ref: 009F337B
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?,?,00000000,?,SOFTWARE\Policies\Windows Provisioning\Path,00A0A5E1,00000000,license.txt,0000000B), ref: 009F33B0
                                                                            • RegQueryValueExA.ADVAPI32(?,LIC,00000000,?,00000000,?,?,?,?,?,?,00000000,?,SOFTWARE\Policies\Windows Provisioning\Path,00A0A5E1,00000000), ref: 009F33CE
                                                                            • RegQueryValueExA.ADVAPI32(?,Status,00000000,?,00000000,?), ref: 009F3415
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,00000000,?,SOFTWARE\Policies\Windows Provisioning\Path,00A0A5E1,00000000,license.txt,0000000B), ref: 009F344A
                                                                            • RegQueryValueExA.ADVAPI32(?,Status,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009F3468
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?,SOFTWARE\Policies\Windows Provisioning\Path,00A0A5E1,00000000,license.txt,0000000B), ref: 009F3497
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F34B4
                                                                              • Part of subcall function 009F5620: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F5693
                                                                              • Part of subcall function 009F5620: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F56E7
                                                                            • new.LIBCMT ref: 009F34FF
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000088,00000000,license.txt,0000000B), ref: 009F3511
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F356B
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F3594
                                                                            • new.LIBCMT ref: 009F35CF
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000002,?,00000088,00000000,license.txt,0000000B), ref: 009F35E1
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F3690
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F36BD
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000040,?,?,?,?,?,?,00000002,?,?,?,?,?,00000088), ref: 009F3700
                                                                              • Part of subcall function 009FD020: remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,00000000,00000000,009FD573), ref: 009FD025
                                                                              • Part of subcall function 009FD020: MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 009FD039
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F37DF
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,00A0A5E1,?,?,?,?,00000002), ref: 009F3830
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,00000000), ref: 009F3931
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618), ref: 009F396A
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618,00000000,?,?,?,?,?,00000000), ref: 009F3987
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618,00000000,?,?,?,?,?,?,?,00000000), ref: 009F39A4
                                                                            • GdiplusStartup.GDIPLUS(?,?,?,?), ref: 009F3A40
                                                                            • LoadIconW.USER32(0000006C), ref: 009F3AD0
                                                                            • LoadIconW.USER32(0000006A), ref: 009F3ADF
                                                                            • FindResourceW.KERNEL32(000003EA,00000005), ref: 009F3AF3
                                                                            • LoadResource.KERNEL32(00000000), ref: 009F3B04
                                                                            • DialogBoxIndirectParamW.USER32(00000000,00000000,009F69A0,00000000), ref: 009F3B1E
                                                                              • Part of subcall function 009F29D0: ShellExecuteW.SHELL32(00000000,00000000,main_installer.exe,?,00000000,00000000), ref: 009F29DE
                                                                            • GetLastError.KERNEL32 ref: 009F3B28
                                                                            • GdiplusShutdown.GDIPLUS(?), ref: 009F3B32
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32memset$strtok$QueryValue$LoadProcess$CloseFileGdiplusIconResource$AttributesCommandCriticalCurrentDialogErrorExecuteExitFindHandleIndirectInitializeLastLineMoveOpenParamSectionSessionShellShutdownSleepStartupXlength_error@std@@Xout_of_range@std@@_callnewh_errno_mkdirmallocmemcpyremovewcstombs
                                                                            • String ID: -s=%d$-s=%d -k='%s' -p='%s'$-s=1$Cannot open OpenSCManager error code %d$Cannot open service [%s], error code: %d$Display dialog$Do auto install and activate$Do not auto install. (Application has installed already)$LIC$License file exists: %d$License path: %s$Old Version: %d.%d.%d, New Version: %d.%d.%d$Open service: %s$Received session id %d$SOFTWARE\Policies\Windows Provisioning\Path$Status$Status path: %s$\version.txt$antivirus_detector$create stealth manager$get filename$install replace$install silent mode$invalid string position$len lic path: %d$len status path: %d$license.txt$load name map$log.csv$main_installer.exe$open reg: %d$possible launch from msi.$process session id %d$self re-launch: fail !!!$self re-launch: success !!!$token0: %s$token1: %s$token2: %d$token3: %d$version $version.txt
                                                                            • API String ID: 772305779-892903629
                                                                            • Opcode ID: 7cf88f9e097d3131e827ea170f6cd63ba448c63a5f8cebd304ce411b7465ba7f
                                                                            • Instruction ID: 3cfca097e6a3a4e4a3ab041991c677a7a91dae683f4595b0f4447909237ae2cd
                                                                            • Opcode Fuzzy Hash: 7cf88f9e097d3131e827ea170f6cd63ba448c63a5f8cebd304ce411b7465ba7f
                                                                            • Instruction Fuzzy Hash: 2FC2C270608348AFE724EB24DC46BBF77E8AF94304F44092CF685962D2DB75A945CB93
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F69A0 Relevance: 161.6, APIs: 82, Strings: 10, Instructions: 602windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 554 9f69a0-9f6a05 555 9f6a0b 554->555 556 9f6b89-9f6b8f 554->556 559 9f6b74-9f6b84 SetWindowLongW 555->559 560 9f6a11-9f6a17 555->560 557 9f6b95-9f6b98 556->557 558 9f6e30-9f7156 GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW * 2 call 9f4550 * 3 GetDlgItem * 11 SendMessageW * 11 call 9f4f00 call 9f5460 call 9f4f00 * 2 call 9f5460 call 9f9270 SetDlgItemTextW * 10 call 9f4810 556->558 562 9f6b9e-9f6ba1 557->562 563 9f6cd9-9f6ce1 557->563 646 9f715b-9f715f 558->646 561 9f721d-9f723a call a05b3b 559->561 564 9f6a1d-9f6a24 560->564 565 9f6b18-9f6b1a 560->565 562->565 569 9f6ba7-9f6c61 GetDlgItem * 10 562->569 570 9f6d8e-9f6d96 563->570 571 9f6ce7-9f6d01 call 9f4850 563->571 564->565 572 9f6b1f-9f6b27 564->572 573 9f6aef-9f6af9 DefWindowProcW 564->573 574 9f6afe-9f6b12 GetClientRect RedrawWindow 564->574 575 9f6a2b-9f6ab8 CreateCompatibleDC call 9f47b0 SelectObject GetObjectW BitBlt SelectObject DeleteDC GetDlgItem call 9f4650 564->575 565->561 578 9f6cac-9f6cb2 569->578 579 9f6c63-9f6c69 569->579 570->565 584 9f6d9c-9f6dd8 FindResourceW LoadResource DialogBoxIndirectParamW 570->584 598 9f6d34-9f6d77 KiUserCallbackDispatcher FindResourceW LoadResource DialogBoxIndirectParamW call 9f5ac0 571->598 599 9f6d03-9f6d2e FindResourceW LoadResource DialogBoxIndirectParamW 571->599 581 9f6b39-9f6b41 572->581 582 9f6b29-9f6b2f 572->582 573->561 574->565 610 9f6abd-9f6aea GetDlgItem call 9f46b0 GetDlgItem SendMessageW 575->610 585 9f6cb7-9f6cb8 SetTextColor 578->585 579->578 589 9f6c6b-9f6c71 579->589 591 9f6b53-9f6b5b 581->591 592 9f6b43-9f6b49 581->592 582->581 586 9f6dde-9f6dff EndDialog call 9f47d0 call 9f4fe0 584->586 587 9f7218 584->587 594 9f6cbe-9f6cc1 585->594 586->587 622 9f6e05-9f6e18 call 9f47d0 586->622 587->561 589->578 597 9f6c73-9f6c79 589->597 591->565 601 9f6b5d-9f6b6f 591->601 592->591 603 9f6ccc-9f6cd4 GetStockObject 594->603 604 9f6cc3-9f6cc6 SetBkMode 594->604 597->578 607 9f6c7b-9f6c81 597->607 616 9f6d7c-9f6d89 call a05dec 598->616 599->598 601->561 603->561 604->603 607->578 615 9f6c83-9f6c89 607->615 610->587 615->578 620 9f6c8b-9f6c91 615->620 616->561 620->578 624 9f6c93-9f6c95 620->624 632 9f6e1c-9f6e2b call 9fd380 call 9f4fe0 622->632 633 9f6e1a 622->633 624->578 628 9f6c97-9f6ca3 624->628 628->594 631 9f6ca5-9f6caa 628->631 631->585 632->587 633->632 647 9f7163-9f7213 SetDlgItemTextW call 9f4ec0 GetWindowLongW SetWindowLongW GetDesktopWindow GetWindowRect * 2 MoveWindow call 9f4ec0 * 4 646->647 648 9f7161 646->648 647->587 648->647
                                                                            APIs
                                                                            • CreateCompatibleDC.GDI32(?), ref: 009F6A2C
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 009F6A58
                                                                            • GetObjectW.GDI32(00000000,00000018,00000000), ref: 009F6A67
                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 009F6A8D
                                                                            • SelectObject.GDI32(?,00000000), ref: 009F6A95
                                                                            • DeleteDC.GDI32(?), ref: 009F6A9C
                                                                            • GetDlgItem.USER32(?,00000519), ref: 009F6AB4
                                                                            • GetDlgItem.USER32(?,0000051F), ref: 009F6AC3
                                                                            • GetDlgItem.USER32(?,0000052F), ref: 009F6AD8
                                                                            • SendMessageW.USER32(00000000,000000B1,000000FF,00000000), ref: 009F6AE4
                                                                            • DefWindowProcW.USER32(?,?,75A88FB0), ref: 009F6AF3
                                                                            • GetClientRect.USER32(?,?), ref: 009F6B03
                                                                            • RedrawWindow.USER32(?,?,00000000,00000005), ref: 009F6B12
                                                                            • SetWindowLongW.USER32(?,00000000,00000002), ref: 009F6B79
                                                                            • GetDlgItem.USER32(?,00000515), ref: 009F6BB3
                                                                            • GetDlgItem.USER32(?,00000544), ref: 009F6BC2
                                                                            • GetDlgItem.USER32(?,0000052C), ref: 009F6BD5
                                                                            • GetDlgItem.USER32(?,0000052D), ref: 009F6BE8
                                                                            • GetDlgItem.USER32(?,0000052E), ref: 009F6BFB
                                                                            • GetDlgItem.USER32(?,0000052F), ref: 009F6C0E
                                                                            • GetDlgItem.USER32(?,00000518), ref: 009F6C1E
                                                                            • GetDlgItem.USER32(?,0000051B), ref: 009F6C31
                                                                            • GetDlgItem.USER32(?,0000051C), ref: 009F6C44
                                                                            • GetDlgItem.USER32(?,0000051D), ref: 009F6C57
                                                                            • SetTextColor.GDI32(?,00FFFFFF), ref: 009F6CB8
                                                                            • SetBkMode.GDI32(?,00000001), ref: 009F6CC6
                                                                            • GetStockObject.GDI32(00000005), ref: 009F6CCE
                                                                            • FindResourceW.KERNEL32(000003EE,00000005,6D285D9C), ref: 009F6D10
                                                                            • LoadResource.KERNEL32(00000000), ref: 009F6D19
                                                                            • DialogBoxIndirectParamW.USER32(00000000,?,009F7280,00000000), ref: 009F6D2E
                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000524), ref: 009F6D3A
                                                                            • FindResourceW.KERNEL32(000003EB,00000005), ref: 009F6D4D
                                                                            • LoadResource.KERNEL32(00000000), ref: 009F6D56
                                                                            • DialogBoxIndirectParamW.USER32(00000000,00000000,009F7950,00000000), ref: 009F6D6C
                                                                            • FindResourceW.KERNEL32(000003EF,00000005,6D285D9C), ref: 009F6DA9
                                                                            • LoadResource.KERNEL32(00000000), ref: 009F6DB6
                                                                            • DialogBoxIndirectParamW.USER32(00000000,?,009F8F60,00000000), ref: 009F6DCB
                                                                            • EndDialog.USER32(?,00000525), ref: 009F6DE4
                                                                            Strings
                                                                            • To Install this software, you must accept this agreement., xrefs: 009F7083
                                                                            • Do you accept all the terms of the preceeding License Agreement? If you choose No, Setup will close. , xrefs: 009F7070
                                                                            • Installation, xrefs: 009F711F
                                                                            • Yes, xrefs: 009F7139
                                                                            • I also agree to inform anyone who uses those computers that their computer usage may be monitored., xrefs: 009F704F
                                                                            • Software Installation, xrefs: 009F70A5
                                                                            • Please read the following License Agreement. Press the PAGE DOWN key to see the rest of the agreement., xrefs: 009F7063
                                                                            • License Agreement, xrefs: 009F7112
                                                                            • I agree to install this software only on computers that I own. , xrefs: 009F7040
                                                                            • Ready To Activate, xrefs: 009F712C
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Resource$DialogObject$FindIndirectLoadParamWindow$Select$CallbackClientColorCompatibleCreateDeleteDispatcherLongMessageModeProcRectRedrawSendStockTextUser
                                                                            • String ID: Do you accept all the terms of the preceeding License Agreement? If you choose No, Setup will close. $I agree to install this software only on computers that I own. $I also agree to inform anyone who uses those computers that their computer usage may be monitored.$Installation$License Agreement$Please read the following License Agreement. Press the PAGE DOWN key to see the rest of the agreement.$Ready To Activate$Software Installation$To Install this software, you must accept this agreement.$Yes
                                                                            • API String ID: 672286209-3308482168
                                                                            • Opcode ID: 334eeae304efc19ca4dd4f6ae3db833bfe1deeb318cbbf2fa34f6c584373a3e1
                                                                            • Instruction ID: 23a9fb1af5d3a9f344969a79b31a768d85c17bd771100b317feb47d40ad37cd9
                                                                            • Opcode Fuzzy Hash: 334eeae304efc19ca4dd4f6ae3db833bfe1deeb318cbbf2fa34f6c584373a3e1
                                                                            • Instruction Fuzzy Hash: EF229E30A4072CABEB219BA4DC49FAEBE79EF59711F104199F618A61E0CB705A42CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD380 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1225 9fd380-9fd402 1227 9fd405-9fd40a 1225->1227 1227->1227 1228 9fd40c-9fd459 call 9f5620 call 9f5720 call 9f5840 FindFirstFileA 1227->1228 1235 9fd45f-9fd465 1228->1235 1236 9fd5a5 1228->1236 1237 9fd470-9fd477 1235->1237 1238 9fd5a7-9fd5ad 1236->1238 1239 9fd47d-9fd54f call 9f6430 call 9f63e0 1237->1239 1240 9fd573-9fd580 FindNextFileA 1237->1240 1241 9fd5af-9fd5b4 call 9f5b90 1238->1241 1242 9fd5b9-9fd5d1 1238->1242 1262 9fd566-9fd56e call 9fd020 1239->1262 1263 9fd551-9fd559 call 9fd380 1239->1263 1240->1237 1243 9fd586-9fd598 FindClose GetLastError 1240->1243 1241->1242 1246 9fd5dd-9fd5f5 1242->1246 1247 9fd5d3-9fd5d8 call 9f5b90 1242->1247 1243->1238 1250 9fd59a-9fd5a0 call 9fcff0 1243->1250 1248 9fd5f7-9fd5fc call 9f5b90 1246->1248 1249 9fd601-9fd61e call a05b3b 1246->1249 1247->1246 1248->1249 1250->1236 1262->1240 1263->1262
                                                                            APIs
                                                                            • FindFirstFileA.KERNELBASE(00000000,?,\*.*,00000004,00000000,00000000,000000FF,00A17720,00A17721,6D285D9C), ref: 009FD44E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID: .$\*.*
                                                                            • API String ID: 1974802433-3701014519
                                                                            • Opcode ID: 67dce6097ad41a4806042ae8f85d2bae5f11e7ffa11617df1dcdcd0d80ad3fed
                                                                            • Instruction ID: d21250317745d11151d20518623043625943e9d6865ec5725ff52e45ce793b22
                                                                            • Opcode Fuzzy Hash: 67dce6097ad41a4806042ae8f85d2bae5f11e7ffa11617df1dcdcd0d80ad3fed
                                                                            • Instruction Fuzzy Hash: A361BA7090025CDFEF25DFA8C898BFEBBB9EB05314F500198E505A7282C7751E89CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A046B0 Relevance: 7.7, APIs: 5, Instructions: 228processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1266 a046b0-a04750 memset CreateToolhelp32Snapshot 1267 a04756-a04766 Process32FirstW 1266->1267 1268 a049bf-a049dc call a05b3b 1266->1268 1269 a049b3-a049b9 CloseHandle 1267->1269 1270 a0476c 1267->1270 1269->1268 1272 a04770-a0478b 1270->1272 1274 a047a5-a047bb call 9f5240 1272->1274 1275 a0478d-a04793 1272->1275 1280 a04805 1274->1280 1281 a047bd-a047ce 1274->1281 1276 a04796-a0479f 1275->1276 1276->1276 1278 a047a1-a047a3 1276->1278 1278->1274 1284 a04807-a0480d 1280->1284 1282 a047d0-a047d2 1281->1282 1283 a047d4 1281->1283 1285 a047d6-a047dc 1282->1285 1283->1285 1286 a04819-a0481b 1284->1286 1287 a0480f-a04814 call 9f5b30 1284->1287 1288 a047e2 1285->1288 1289 a047de-a047e0 1285->1289 1291 a04821-a0483c 1286->1291 1292 a04998-a049ad Process32NextW 1286->1292 1287->1286 1295 a047e4-a047ff call a055f0 1288->1295 1289->1295 1293 a04842-a0484b 1291->1293 1294 a0483e-a04840 1291->1294 1292->1269 1292->1272 1297 a04850-a04859 1293->1297 1296 a0485f-a048e9 call 9f5240 call 9f5340 1294->1296 1295->1280 1303 a04801-a04803 1295->1303 1306 a048f5-a04919 1296->1306 1307 a048eb-a048f0 call 9f5b30 1296->1307 1297->1297 1299 a0485b-a0485d 1297->1299 1299->1296 1303->1284 1309 a0491b-a04925 1306->1309 1310 a0495e-a04964 1306->1310 1307->1306 1309->1310 1313 a04927-a04942 1309->1313 1311 a04966-a04969 call a04d40 1310->1311 1312 a0496e-a04977 1310->1312 1311->1312 1315 a04985-a04993 call a04610 1312->1315 1316 a04979 1312->1316 1317 a04944-a04947 call a04d40 1313->1317 1318 a0494c-a0495a 1313->1318 1315->1292 1320 a0497f-a04980 call a05480 1316->1320 1317->1318 1318->1315 1319 a0495c 1318->1319 1319->1320 1320->1315
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000228,6D285D9C,?,00000000), ref: 00A0472B
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A04741
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A0475E
                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 00A049A5
                                                                              • Part of subcall function 00A04D40: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,00000000,00A0496E,?,00A084EF,00000000,000000FF,?,?,?,00000000), ref: 00A04D8F
                                                                            • CloseHandle.KERNEL32(?), ref: 00A049B9
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32Xlength_error@std@@memset
                                                                            • String ID:
                                                                            • API String ID: 1022414800-0
                                                                            • Opcode ID: 457ac72af995770d5304cf5c6761d043984492a27688a8f2b25335e451501156
                                                                            • Instruction ID: 5ec01876073c0c75ccefff856001f0384c7ed05fe0ffa3ba5d198c2078bd6889
                                                                            • Opcode Fuzzy Hash: 457ac72af995770d5304cf5c6761d043984492a27688a8f2b25335e451501156
                                                                            • Instruction Fuzzy Hash: 18918CB090025DDBDB24DFA4D988BEEBBB4FF08314F244599E619A72D0E7746A84CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F7950 Relevance: 138.9, APIs: 71, Strings: 8, Instructions: 617windowtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 658 9f7950-9f79b4 659 9f7b8a-9f7b8f 658->659 660 9f79ba 658->660 661 9f7f4d-9f8156 GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW * 2 call 9f4550 * 5 GetDlgItem * 7 SendMessageW * 7 SetDlgItemTextW * 6 call 9f4810 659->661 662 9f7b95-9f7b98 659->662 663 9f7b75-9f7b85 SetWindowLongW 660->663 664 9f79c0-9f79c3 660->664 735 9f815a-9f81e7 SetDlgItemTextW call 9f4ec0 GetDesktopWindow GetWindowRect * 2 MoveWindow SetTimer call 9f29d0 661->735 736 9f8158 661->736 666 9f7b9e-9f7ba1 662->666 667 9f7c7b-9f7cac GetDlgItem * 2 IsWindowVisible 662->667 665 9f81f1-9f820e call a05b3b 663->665 669 9f7adf-9f7af0 KillTimer 664->669 670 9f79c9-9f79cc 664->670 671 9f7ba7-9f7c1a GetDlgItem * 6 666->671 672 9f7f46-9f7f48 666->672 679 9f7cae-9f7cbb ShowWindow 667->679 680 9f7cbd-9f7cc8 ShowWindow 667->680 675 9f7b02-9f7b0a 669->675 676 9f7af2-9f7af8 669->676 677 9f79ce-9f79d1 670->677 678 9f79e7-9f7ada CreateCompatibleDC LoadBitmapW SelectObject GetObjectW BitBlt SelectObject DeleteDC GetDlgItem call 9f4650 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 670->678 685 9f7c4e 671->685 686 9f7c1c-9f7c22 671->686 672->665 681 9f7b1c-9f7b24 675->681 682 9f7b0c-9f7b12 675->682 676->675 677->672 689 9f79d7-9f79e2 DefWindowProcW 677->689 738 9f81ec 678->738 683 9f7cca-9f7d90 ShowWindow call a01200 * 5 call 9f4f00 call a046b0 call 9f4ec0 679->683 680->683 692 9f7b36-9f7b3e 681->692 693 9f7b26-9f7b2c 681->693 682->681 748 9f7dab-9f7dd4 _stat64i32 683->748 749 9f7d92-9f7da2 683->749 696 9f7c53-9f7c5a SetTextColor 685->696 686->685 694 9f7c24-9f7c2a 686->694 689->665 702 9f7b50-9f7b58 692->702 703 9f7b40-9f7b46 692->703 693->692 694->685 701 9f7c2c-9f7c2e 694->701 705 9f7c60-9f7c76 SetBkMode GetStockObject 696->705 701->685 709 9f7c30-9f7c36 701->709 702->672 711 9f7b5e-9f7b70 702->711 703->702 705->665 714 9f7c3f-9f7c45 709->714 715 9f7c38-9f7c3d 709->715 711->665 714->705 720 9f7c47-9f7c4c 714->720 715->696 720->696 735->738 736->735 738->665 751 9f7dda-9f7dfd _stat64i32 748->751 752 9f7f10-9f7f41 call 9f9590 call 9f4fe0 * 5 748->752 749->748 750 9f7da4-9f7da6 749->750 753 9f7ed3-9f7f0b call 9f9590 call 9f4fe0 * 5 750->753 751->752 754 9f7e03-9f7e1d _stat64i32 751->754 752->672 753->665 754->752 756 9f7e23-9f7e3d _stat64i32 754->756 756->752 759 9f7e43-9f7e5d _stat64i32 756->759 759->752 762 9f7e63-9f7e71 759->762 762->752 765 9f7e77-9f7ed1 KillTimer KiUserCallbackDispatcher FindResourceW LoadResource DialogBoxIndirectParamW 762->765 765->753
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000020,?,000000FF,6D285D9C), ref: 009F79DC
                                                                            • CreateCompatibleDC.GDI32(?), ref: 009F79E8
                                                                            • LoadBitmapW.USER32(0000044D), ref: 009F7A01
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 009F7A20
                                                                            • GetObjectW.GDI32(00000000,00000018,00000000), ref: 009F7A2F
                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 009F7A56
                                                                            • SelectObject.GDI32(?,00000000), ref: 009F7A5E
                                                                            • DeleteDC.GDI32(?), ref: 009F7A65
                                                                            • GetDlgItem.USER32(?,00000519), ref: 009F7A7D
                                                                            • GetDlgItem.USER32(?,0000051F), ref: 009F7A8C
                                                                            • GetDlgItem.USER32(?,00000520), ref: 009F7AA1
                                                                            • GetDlgItem.USER32(?,00000532), ref: 009F7AB6
                                                                            • GetDlgItem.USER32(?,00000533), ref: 009F7ACB
                                                                            • KillTimer.USER32(?,00000001,6D285D9C), ref: 009F7AE2
                                                                            • SetWindowLongW.USER32(?,00000000,00000002), ref: 009F7B7A
                                                                            • GetDlgItem.USER32(?,00000515), ref: 009F7BB3
                                                                            • GetDlgItem.USER32(?,0000051B), ref: 009F7BC2
                                                                            • GetDlgItem.USER32(?,0000051C), ref: 009F7BD5
                                                                            • GetDlgItem.USER32(?,0000051D), ref: 009F7BE8
                                                                            • GetDlgItem.USER32(?,00000530), ref: 009F7BFB
                                                                            • GetDlgItem.USER32(?,00000531), ref: 009F7C0E
                                                                            • SetTextColor.GDI32(?,00FFFFFF), ref: 009F7C5A
                                                                            • SetBkMode.GDI32(?,00000001), ref: 009F7C68
                                                                            • GetStockObject.GDI32(00000005), ref: 009F7C70
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Object$SelectWindow$BitmapColorCompatibleCreateDeleteKillLoadLongModeProcStockTextTimer
                                                                            • String ID: -s=1$Installation$Installing your software$License Agreement$Next$P L E A S E W A I T$Ready To Activate$post_install.exe
                                                                            • API String ID: 312924425-2055219389
                                                                            • Opcode ID: 87e2221a24812ec43abc4f0dd11c415856d50c7e0f364c59eaf423f07be3fab5
                                                                            • Instruction ID: bdf553b65ef7e60bde2580bd26ba7cb00558801c20828a1ce17e196aea3228fc
                                                                            • Opcode Fuzzy Hash: 87e2221a24812ec43abc4f0dd11c415856d50c7e0f364c59eaf423f07be3fab5
                                                                            • Instruction Fuzzy Hash: A3327C30A5461CABDB20DFA4DC49FEEBBB9EB58701F004199F605A72E0DB746A42CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F8220 Relevance: 124.7, APIs: 63, Strings: 8, Instructions: 489windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 782 9f8220-9f8254 783 9f842f-9f8434 782->783 784 9f825a 782->784 785 9f85df-9f87ad GetWindowLongW SetWindowLongW SetWindowTextW SendMessageW * 2 call 9f4550 * 4 GetDlgItem * 7 SendMessageW * 7 SetDlgItemTextW * 6 call 9f4810 783->785 786 9f843a-9f843d 783->786 787 9f840b-9f842c SetWindowLongW call a05b3b 784->787 788 9f8260-9f8263 784->788 859 9f87af 785->859 860 9f87b1-9f87be SetDlgItemTextW call 9f4ec0 785->860 789 9f8523-9f852b 786->789 790 9f8443-9f8446 786->790 791 9f8389-9f8391 788->791 792 9f8269-9f826c 788->792 796 9f857f-9f8587 789->796 797 9f852d-9f857c EndDialog FindResourceW LoadResource DialogBoxIndirectParamW call a05b3b 789->797 798 9f844c-9f84b4 GetDlgItem * 8 790->798 799 9f85c9-9f85dc call a05b3b 790->799 800 9f83a3-9f83ab 791->800 801 9f8393-9f8399 791->801 802 9f826e-9f8271 792->802 803 9f8296-9f832b CreateCompatibleDC LoadBitmapW SelectObject GetObjectW BitBlt SelectObject DeleteDC GetDlgItem call 9f4650 792->803 796->799 810 9f8589-9f85a6 EndDialog CreateEventW 796->810 808 9f84ec 798->808 809 9f84b6-9f84ba 798->809 813 9f83bd-9f83c5 800->813 814 9f83ad-9f83b3 800->814 801->800 802->799 812 9f8277-9f828b DefWindowProcW call a05b3b 802->812 815 9f8330-9f8384 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 GetDlgItem call 9f46b0 803->815 823 9f84f1-9f84f5 SetTextColor 808->823 809->808 820 9f84bc-9f84c0 809->820 821 9f85a8-9f85bf SetEvent call 9f27d0 810->821 822 9f85c2-9f85c3 CloseHandle 810->822 834 9f8290-9f8293 812->834 817 9f83d7-9f83df 813->817 818 9f83c7-9f83cd 813->818 814->813 863 9f881a-9f8830 call a05b3b 815->863 817->799 832 9f83e5-9f8408 call a05b3b 817->832 818->817 820->808 829 9f84c2-9f84c6 820->829 821->822 822->799 830 9f84fb-9f8520 SetBkMode GetStockObject call a05b3b 823->830 829->808 838 9f84c8-9f84ca 829->838 838->808 843 9f84cc-9f84d0 838->843 848 9f84d9-9f84dd 843->848 849 9f84d2-9f84d7 843->849 853 9f84df-9f84e3 848->853 854 9f84e5-9f84ea 848->854 849->823 853->830 853->854 854->823 859->860 864 9f87c3-9f8814 GetDesktopWindow GetWindowRect * 2 MoveWindow 860->864 864->863
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000020,?,?), ref: 009F827C
                                                                            • CreateCompatibleDC.GDI32(?), ref: 009F8297
                                                                            • LoadBitmapW.USER32(0000044D), ref: 009F82AE
                                                                            • SelectObject.GDI32(00000000), ref: 009F82D6
                                                                            • GetObjectW.GDI32(00000000,00000018,00000000), ref: 009F82E2
                                                                            • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 009F8306
                                                                            • SelectObject.GDI32(?,00000000), ref: 009F830E
                                                                            • DeleteDC.GDI32(?), ref: 009F8311
                                                                            • GetDlgItem.USER32(?,00000519), ref: 009F8327
                                                                            • GetDlgItem.USER32(?,0000051F), ref: 009F8336
                                                                            • GetDlgItem.USER32(?,00000520), ref: 009F834B
                                                                            • GetDlgItem.USER32(?,00000521), ref: 009F8360
                                                                            • GetDlgItem.USER32(?,00000534), ref: 009F8375
                                                                            • SetWindowLongW.USER32(?,00000000,00000002), ref: 009F8410
                                                                            • GetDlgItem.USER32(?,00000515), ref: 009F8458
                                                                            • GetDlgItem.USER32(?,0000051B), ref: 009F8462
                                                                            • GetDlgItem.USER32(?,0000051C), ref: 009F846E
                                                                            • GetDlgItem.USER32(?,0000051D), ref: 009F847A
                                                                            • GetDlgItem.USER32(?,00000535), ref: 009F8486
                                                                            • GetDlgItem.USER32(?,00000536), ref: 009F8492
                                                                            • GetDlgItem.USER32(?,00000537), ref: 009F849E
                                                                            • GetDlgItem.USER32(?,00000538), ref: 009F84AA
                                                                            • SetTextColor.GDI32(?,00FFFFFF), ref: 009F84F5
                                                                            • SetBkMode.GDI32(?,00000001), ref: 009F8501
                                                                            • GetStockObject.GDI32(00000005), ref: 009F8509
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Object$SelectWindow$BitmapColorCompatibleCreateDeleteLoadLongModeProcStockText
                                                                            • String ID: Activate Later$Activate Now$Global\Show_5491c4d3-0a5f-4898-bec4-cd906998e306$Installation$License Agreement$Ready To Activate$antivirus_detector$set event error: %d
                                                                            • API String ID: 247354590-3374414970
                                                                            • Opcode ID: ce716c4bf6f5c6c6dad27ed183637ccd663552d9dee1abdca7e3edb64b78d4d8
                                                                            • Instruction ID: 47f638563aed06103779071169048e1a40d970164fdae4316893f74b7e9e2c1b
                                                                            • Opcode Fuzzy Hash: ce716c4bf6f5c6c6dad27ed183637ccd663552d9dee1abdca7e3edb64b78d4d8
                                                                            • Instruction Fuzzy Hash: C1F1F371644708ABD710DFB4EC4AF6F7BA9FB88701F00491AF645A72E1DA749901CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F7254 Relevance: 95.0, APIs: 46, Strings: 8, Instructions: 519windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 867 9f7254-9f72d1 868 9f72d7 867->868 869 9f77e6-9f77eb 867->869 872 9f72dd-9f72e0 868->872 873 9f7379-9f739a GetWindowLongW SetWindowLongW GetParent 868->873 870 9f788c-9f7894 869->870 871 9f77f1-9f77f4 869->871 874 9f7896-9f78a3 KiUserCallbackDispatcher 870->874 875 9f78a5-9f78af 870->875 878 9f77fa-9f7836 GetDlgItem * 4 871->878 879 9f78e9 871->879 880 9f7314-9f7374 CreateSolidBrush GetClientRect FillRect CreateSolidBrush GetClientRect GetDC FillRect 872->880 881 9f72e2-9f72e5 872->881 876 9f739c GetDesktopWindow 873->876 877 9f73a2-9f7553 GetWindowRect * 2 CopyRect OffsetRect * 3 SetWindowPos call 9f9510 GetDlgItem * 4 SendMessageW * 4 call 9f4f00 SetDlgItemTextW * 2 call 9f4f00 SetDlgItemTextW * 2 call 9f4850 873->877 882 9f78eb-9f7906 call a05b3b 874->882 875->879 883 9f78b1-9f78b4 875->883 876->877 912 9f774e-9f7786 CreateWindowExW call 9f5ac0 877->912 913 9f7559 877->913 885 9f7878-9f788a SetTextColor 878->885 886 9f7838-9f783e 878->886 879->882 880->882 887 9f72e7-9f72ea 881->887 888 9f7304-9f730f DefWindowProcW 881->888 890 9f78be-9f78e6 call 9f5720 call 9f4b30 883->890 891 9f78b6-9f78ba 883->891 889 9f7865-9f7876 SetBkMode GetStockObject 885->889 886->885 893 9f7840-9f7846 886->893 887->879 895 9f72f0-9f72ff SetWindowLongW 887->895 888->882 889->882 890->879 891->883 896 9f78bc 891->896 893->885 899 9f7848-9f7852 893->899 895->882 896->879 903 9f785f 899->903 904 9f7854-9f7857 899->904 903->889 904->885 907 9f7859-9f785d 904->907 907->903 907->904 916 9f778b-9f779c call a05dec 912->916 915 9f7560-9f75a2 call 9fc1f0 CreateWindowExW 913->915 921 9f75b5-9f75e4 CreateWindowExW 915->921 922 9f75a4-9f75af SendMessageW 915->922 925 9f779e-9f77a3 call 9f5b30 916->925 926 9f77a8-9f77c2 916->926 923 9f75f7-9f75fe 921->923 924 9f75e6-9f75f1 SendMessageW 921->924 922->921 929 9f7608-9f7643 call 9fc0f0 923->929 930 9f7600-9f7602 923->930 924->923 925->926 927 9f77c4-9f77cc call 9f5b30 926->927 928 9f77d1-9f77d6 926->928 927->928 928->882 939 9f7689-9f7696 929->939 940 9f7645-9f764e 929->940 930->929 933 9f7717-9f7737 930->933 935 9f7739-9f773e call 9f5b30 933->935 936 9f7743-9f7748 933->936 935->936 936->912 936->915 943 9f7698-9f76a0 call 9f5b90 939->943 944 9f76a5-9f76e4 call 9f96c0 939->944 941 9f765d-9f7684 call 9f5a50 940->941 942 9f7650-9f7658 call 9f5b90 940->942 941->939 942->941 943->944 950 9f77db-9f77e0 ?_Xlength_error@std@@YAXPBD@Z 944->950 951 9f76ea-9f7708 944->951 950->869 951->933 952 9f770a-9f7712 call 9f5b90 951->952 952->933
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,00000002), ref: 009F72F4
                                                                            • DefWindowProcW.USER32(?,00000020,?,?,6D285D9C), ref: 009F7309
                                                                            • CreateSolidBrush.GDI32(003300CC), ref: 009F731F
                                                                            • GetClientRect.USER32(?,?), ref: 009F732E
                                                                            • FillRect.USER32(?,?,00000000), ref: 009F733C
                                                                            • CreateSolidBrush.GDI32(00000099), ref: 009F7347
                                                                            • GetClientRect.USER32(?), ref: 009F7355
                                                                            • GetDC.USER32 ref: 009F735D
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 009F7369
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 009F737C
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009F738B
                                                                            • GetParent.USER32(?), ref: 009F7392
                                                                            • GetDesktopWindow.USER32 ref: 009F739C
                                                                            • GetWindowRect.USER32(00000000,?), ref: 009F73AD
                                                                            • GetWindowRect.USER32(?,?), ref: 009F73B4
                                                                            • CopyRect.USER32(?,?), ref: 009F73BE
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F73DA
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F73EC
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F73FE
                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 009F7421
                                                                            • GetDlgItem.USER32(?,0000053D), ref: 009F7438
                                                                            • GetDlgItem.USER32(?,0000053E), ref: 009F7442
                                                                            • GetDlgItem.USER32(?,0000053F), ref: 009F7451
                                                                            • GetDlgItem.USER32(?,00000529), ref: 009F7464
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 009F7479
                                                                            • GetDlgItem.USER32(?,0000053D), ref: 009F7806
                                                                            • GetDlgItem.USER32(?,0000053E), ref: 009F7810
                                                                            • GetDlgItem.USER32(?,0000053F), ref: 009F781E
                                                                            • GetDlgItem.USER32(?,00000529), ref: 009F782C
                                                                            • SetBkMode.GDI32(?,00000001), ref: 009F7868
                                                                            • GetStockObject.GDI32(00000005), ref: 009F7870
                                                                            Strings
                                                                            • list<T> too long, xrefs: 009F77DB
                                                                            • For your software to work correctly it must be added as an exception to the following Antivirus programs., xrefs: 009F74A7
                                                                            • Please use the instructions below to add exceptions to your Antivirus software to ensure that your software will work smoothly and, xrefs: 009F74F1
                                                                            • Antivirus Detected!, xrefs: 009F74BD
                                                                            • Click here for instructions, xrefs: 009F75CE
                                                                            • button, xrefs: 009F75D3
                                                                            • static, xrefs: 009F758D, 009F7771
                                                                            • #, xrefs: 009F771D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$ItemWindow$LongOffset$BrushClientCreateFillSolid$CopyDesktopMessageModeObjectParentProcSendStock
                                                                            • String ID: #$Antivirus Detected!$Click here for instructions$For your software to work correctly it must be added as an exception to the following Antivirus programs.$Please use the instructions below to add exceptions to your Antivirus software to ensure that your software will work smoothly and$button$list<T> too long$static
                                                                            • API String ID: 34053187-1816344687
                                                                            • Opcode ID: 2fe8e9d273ab3c315951b5a5a0af6f33d49d0ab6dead1206825ab49177f3a96c
                                                                            • Instruction ID: 33e1765399601e3257c14ea2bb5e44950b4ab3364df8427e46335c6f0075b9e6
                                                                            • Opcode Fuzzy Hash: 2fe8e9d273ab3c315951b5a5a0af6f33d49d0ab6dead1206825ab49177f3a96c
                                                                            • Instruction Fuzzy Hash: 7C02807190421DAFEB20DBA4DC89FAEBBB9FB54300F104595F609A7291D7709E82CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F4850 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 245comCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 954 9f4850-9f48ca call 9f6300 CoInitializeEx 957 9f4afc-9f4b1f CoUninitialize call a05b3b 954->957 958 9f48d0-9f48ea CoInitializeSecurity 954->958 960 9f48ec-9f48f1 958->960 961 9f48f7-9f4918 CoCreateInstance 958->961 960->957 960->961 961->957 963 9f491e-9f4939 call 9f2610 961->963 966 9f493f 963->966 967 9f493b-9f493d 963->967 968 9f4941-9f496b call 9f26c0 966->968 967->968 972 9f4af3-9f4af7 968->972 973 9f4971-9f498a CoSetProxyBlanket 968->973 972->957 974 9f4aea-9f4aee 973->974 975 9f4990-9f49c9 call 9f2570 * 2 973->975 974->972 980 9f49cf 975->980 981 9f49cb-9f49cd 975->981 982 9f49d1-9f49d5 980->982 981->982 983 9f49db 982->983 984 9f49d7-9f49d9 982->984 985 9f49dd-9f4a08 call 9f26c0 * 2 983->985 984->985 985->974 991 9f4a0e 985->991 992 9f4a10-9f4a37 991->992 994 9f4a3d-9f4a40 992->994 995 9f4acb-9f4ad0 992->995 994->995 996 9f4a46-9f4a57 994->996 997 9f4ad8-9f4adb 995->997 998 9f4ad2-9f4ad4 995->998 1000 9f4a5b-9f4a5d 996->1000 997->992 999 9f4ae1-9f4ae5 997->999 998->997 999->974 1000->995 1001 9f4a5f-9f4a64 1000->1001 1001->995 1002 9f4a66-9f4aa0 call 9f4f00 call 9fc0f0 call 9f6670 1001->1002 1009 9f4aa2-9f4ac5 call 9f4fe0 call 9f4ec0 VariantClear 1002->1009 1010 9f4b20-9f4b2b ?_Xlength_error@std@@YAXPBD@Z 1002->1010 1009->995
                                                                            APIs
                                                                              • Part of subcall function 009F6300: new.LIBCMT ref: 009F6305
                                                                            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,6D285D9C), ref: 009F48C2
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 009F48E2
                                                                            • CoCreateInstance.OLE32(00A0A514,00000000,00000001,00A0A524,?), ref: 009F4910
                                                                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009F4982
                                                                            • VariantClear.OLEAUT32(00000008), ref: 009F4AC5
                                                                            • CoUninitialize.OLE32 ref: 009F4AFC
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list<T> too long,00000000,?,00000000,?), ref: 009F4B25
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize$BlanketClearCreateInstanceProxySecurityUninitializeVariantXlength_error@std@@
                                                                            • String ID: SELECT * FROM AntivirusProduct$WQL$displayName$list<T> too long
                                                                            • API String ID: 1319182029-2063593977
                                                                            • Opcode ID: e9c9ca24ab84b4b9707fb8a9eb3a803ae272f9e562372cf0b894db1c8e0560ee
                                                                            • Instruction ID: 78cf5a4573f75583c0bfe101c072b829f9d46effb63acc3a8c81d1c82861a12e
                                                                            • Opcode Fuzzy Hash: e9c9ca24ab84b4b9707fb8a9eb3a803ae272f9e562372cf0b894db1c8e0560ee
                                                                            • Instruction Fuzzy Hash: 21914B70A4021DAFDB10DFA4DC45FAFBBB8BF44714F204158E605AB2D0DBB5A905CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F4550 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 96memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1015 9f4550-9f4578 FindResourceW 1016 9f457e-9f4593 SizeofResource LoadResource 1015->1016 1017 9f4633-9f4644 call a05b3b 1015->1017 1016->1017 1018 9f4599-9f45a5 LockResource 1016->1018 1020 9f45a7-9f45b6 GlobalAlloc 1018->1020 1021 9f4620-9f4632 call a05b3b 1018->1021 1020->1021 1024 9f45b8-9f45c1 GlobalLock 1020->1024 1026 9f4619-9f461a GlobalFree 1024->1026 1027 9f45c3-9f45e1 memcpy CreateStreamOnHGlobal 1024->1027 1026->1021 1028 9f45e3-9f45e6 call 9f2920 1027->1028 1029 9f4612-9f4613 GlobalUnlock 1027->1029 1031 9f45eb-9f45f8 1028->1031 1029->1026 1031->1029 1033 9f45fa-9f4606 1031->1033 1033->1029 1034 9f4608-9f4610 1033->1034 1034->1029
                                                                            APIs
                                                                            • FindResourceW.KERNEL32(00000000,6D285D9C,PNG), ref: 009F456E
                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 009F4580
                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 009F458B
                                                                            • LockResource.KERNEL32(00000000), ref: 009F459B
                                                                            • GlobalAlloc.KERNELBASE(00000002,?), ref: 009F45AC
                                                                            • GlobalLock.KERNEL32(00000000), ref: 009F45B9
                                                                            • memcpy.VCRUNTIME140(00000000,00000000,?), ref: 009F45C8
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 009F45D9
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 009F4613
                                                                              • Part of subcall function 009F2920: GdipAlloc.GDIPLUS(00000010), ref: 009F2936
                                                                              • Part of subcall function 009F2920: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 009F295A
                                                                            • GlobalFree.KERNEL32(00000000), ref: 009F461A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Global$Resource$AllocCreateGdipLockStream$BitmapFindFreeFromLoadSizeofUnlockmemcpy
                                                                            • String ID: PNG
                                                                            • API String ID: 2868195497-364855578
                                                                            • Opcode ID: 340e9f1c97b702dac64c1db05126f8b3512b81c3f33764ee74711ac932e8e6c1
                                                                            • Instruction ID: d3051e76292c652f6f72484226b2a7f1677ad26c0b82d1a0de0be3aba5252ca4
                                                                            • Opcode Fuzzy Hash: 340e9f1c97b702dac64c1db05126f8b3512b81c3f33764ee74711ac932e8e6c1
                                                                            • Instruction Fuzzy Hash: 94216271A0021CABD7109FA5EC48A7FBBBCEF9AB11F000159FA06D7250DB349D42DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FA870 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 249COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1036 9fa870-9fa8c8 1037 9fa8ce 1036->1037 1038 9fa8ca-9fa8cc 1036->1038 1039 9fa8d0-9fa8e8 1037->1039 1038->1039 1040 9fa8ee 1039->1040 1041 9fa8ea-9fa8ec 1039->1041 1042 9fa8f0-9fa908 1040->1042 1041->1042 1043 9fa90c-9fa924 1042->1043 1044 9fa90a 1042->1044 1045 9fa928-9fa932 1043->1045 1046 9fa926 1043->1046 1044->1043 1047 9fa938-9fa93d 1045->1047 1048 9fa934-9fa936 1045->1048 1046->1045 1050 9fa940-9fa945 1047->1050 1049 9fa94a-9fa97b call 9f5620 * 3 1048->1049 1058 9fa97d-9fa981 1049->1058 1059 9fa9bb-9fa9bf 1049->1059 1050->1050 1051 9fa947 1050->1051 1051->1049 1060 9fa987 1058->1060 1061 9fa983-9fa985 1058->1061 1062 9fa9d9-9fa9dd 1059->1062 1063 9fa9c1-9fa9c5 1059->1063 1064 9fa989-9fa98f GetFileAttributesA 1060->1064 1061->1064 1065 9fab54-9fab71 call a05b3b 1062->1065 1066 9fa9e3-9faa0a call 9f5720 1062->1066 1067 9fa9cb 1063->1067 1068 9fa9c7-9fa9c9 1063->1068 1071 9fa995-9fa999 1064->1071 1072 9fa991-9fa993 1064->1072 1080 9faa0c-9faa1f 1066->1080 1081 9faa30-9faa53 call 9fb130 call 9f5960 1066->1081 1069 9fa9cd-9fa9d3 GetFileAttributesA 1067->1069 1068->1069 1069->1062 1074 9fa9d5-9fa9d7 1069->1074 1077 9fa99f 1071->1077 1078 9fa99b-9fa99d 1071->1078 1072->1071 1076 9fa9b5 1072->1076 1074->1062 1074->1066 1076->1059 1082 9fa9a1-9fa9ad _mkdir 1077->1082 1078->1082 1080->1081 1083 9faa21-9faa2b call 9f5840 1080->1083 1090 9faa5f-9faa74 GetFileAttributesA 1081->1090 1091 9faa55-9faa5a call 9f5b90 1081->1091 1082->1076 1085 9fa9af _errno 1082->1085 1083->1081 1085->1076 1093 9faa7a-9faa91 _mkdir 1090->1093 1094 9faa76-9faa78 1090->1094 1091->1090 1095 9faa99-9faad4 call 9f5840 call 9f6430 call 9f6540 1093->1095 1096 9faa93 _errno 1093->1096 1094->1093 1094->1095 1103 9fab0c-9fab12 1095->1103 1104 9faad6-9faadc 1095->1104 1096->1095 1105 9fab1e-9fab36 1103->1105 1106 9fab14-9fab19 call 9f5b90 1103->1106 1107 9faade-9faae2 call 9f5b90 1104->1107 1108 9faae7-9faaf9 1104->1108 1112 9fab38-9fab3d call 9f5b90 1105->1112 1113 9fab42-9fab48 1105->1113 1106->1105 1107->1108 1109 9faaff 1108->1109 1110 9faafb-9faafd 1108->1110 1115 9fab01-9fab07 call 9f5a50 1109->1115 1110->1115 1112->1113 1113->1065 1117 9fab4a-9fab4f call 9f5b90 1113->1117 1115->1103 1117->1065
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,debug_antivirus,0000000F,009F2EC0,?,6D285D9C,?), ref: 009FA98A
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C), ref: 009FA9A2
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009FA9AF
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,debug_antivirus,0000000F,009F2EC0,?,6D285D9C,?), ref: 009FA9CE
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,000000FF,0000001C,00000000,000000FF,.txt,00000004,debug_antivirus,0000000F,009F2EC0,?,6D285D9C,?), ref: 009FAA6B
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 009FAA86
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009FAA93
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile$_errno_mkdir
                                                                            • String ID: .txt$debug_antivirus
                                                                            • API String ID: 3316992066-4049534805
                                                                            • Opcode ID: 90fb252d7754a14643e56f5dd543b8dd3a6f115008a6b16d65725787a855011d
                                                                            • Instruction ID: 645c4351c0d7e8b06ba76bd130b4cb0d949fdec64867be8e65d5af74c1c0aaa7
                                                                            • Opcode Fuzzy Hash: 90fb252d7754a14643e56f5dd543b8dd3a6f115008a6b16d65725787a855011d
                                                                            • Instruction Fuzzy Hash: 34A1C4B090020CDFEB14DF68C844BBEBBB5FF05310F500528E656A72D2D7B5A985CB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A00B40 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 309COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1120 a00b40-a00ba9 call 9ffc20 1123 a00bab 1120->1123 1124 a00bad-a00bc6 1120->1124 1123->1124 1125 a00bc8 1124->1125 1126 a00bca-a00be2 1124->1126 1125->1126 1127 a00be4-a00be6 1126->1127 1128 a00be8 1126->1128 1129 a00bea-a00c02 1127->1129 1128->1129 1130 a00c04-a00c06 1129->1130 1131 a00c08 1129->1131 1132 a00c0a-a00c22 1130->1132 1131->1132 1133 a00c24-a00c26 1132->1133 1134 a00c28 1132->1134 1135 a00c2a-a00c4c GetCurrentProcess IsWow64Process 1133->1135 1134->1135 1136 a00c56 1135->1136 1137 a00c4e-a00c52 1135->1137 1139 a00c58-a00cff call 9f5240 * 2 call 9f5d10 call 9f5460 call a05b51 1136->1139 1137->1136 1138 a00c54 1137->1138 1138->1139 1150 a00d01-a00d03 1139->1150 1151 a00d05 1139->1151 1152 a00d07-a00d33 call 9f5240 1150->1152 1151->1152 1155 a00d35-a00d37 1152->1155 1156 a00d39 1152->1156 1157 a00d3b-a00d76 call 9f5340 call a03ad0 call a013b0 1155->1157 1156->1157 1164 a00db2-a00dbc 1157->1164 1165 a00d78-a00d7e 1157->1165 1166 a00dc8-a00dd8 call a012b0 1164->1166 1167 a00dbe-a00dc3 call 9f5b90 1164->1167 1168 a00d80-a00d8c call 9f5b90 1165->1168 1169 a00d8f-a00da1 1165->1169 1179 a00e13-a00e1d 1166->1179 1180 a00dda-a00de0 1166->1180 1167->1166 1168->1169 1173 a00da3-a00da5 1169->1173 1174 a00da7 1169->1174 1177 a00da9-a00dad call 9f5a50 1173->1177 1174->1177 1177->1164 1181 a00e29-a00e35 call a014c0 1179->1181 1182 a00e1f-a00e24 call 9f5b90 1179->1182 1183 a00de2-a00deb call 9f5b90 1180->1183 1184 a00dee-a00e00 1180->1184 1193 a00e37-a00e3d 1181->1193 1194 a00e6d-a00e77 1181->1194 1182->1181 1183->1184 1188 a00e02-a00e04 1184->1188 1189 a00e06 1184->1189 1192 a00e08-a00e0e call 9f5a50 1188->1192 1189->1192 1192->1179 1196 a00e48-a00e5a 1193->1196 1197 a00e3f-a00e43 call 9f5b90 1193->1197 1198 a00e83-a00e8f call a014c0 1194->1198 1199 a00e79-a00e7e call 9f5b90 1194->1199 1203 a00e60 1196->1203 1204 a00e5c-a00e5e 1196->1204 1197->1196 1207 a00e91-a00e97 1198->1207 1208 a00ec7-a00ecd 1198->1208 1199->1198 1206 a00e62-a00e68 call 9f5a50 1203->1206 1204->1206 1206->1194 1210 a00ea2-a00eb4 1207->1210 1211 a00e99-a00e9d call 9f5b90 1207->1211 1212 a00ed9-a00edf 1208->1212 1213 a00ecf-a00ed4 call 9f5b90 1208->1213 1217 a00eb6-a00eb8 1210->1217 1218 a00eba 1210->1218 1211->1210 1214 a00ee1-a00ee6 call 9f5b30 1212->1214 1215 a00eeb-a00f09 call a05b3b 1212->1215 1213->1212 1214->1215 1222 a00ebc-a00ec2 call 9f5a50 1217->1222 1218->1222 1222->1208
                                                                            APIs
                                                                              • Part of subcall function 009FFC20: new.LIBCMT ref: 009FFC22
                                                                            • GetCurrentProcess.KERNEL32(?,6D285D9C,?,00000000), ref: 00A00C3C
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00A00C43
                                                                            • new.LIBCMT ref: 00A00CD9
                                                                              • Part of subcall function 009F5A50: memcpy.VCRUNTIME140(00000000,009FD4F6,E8FFFFFD,00000000,00000000,?,009FD4F6,00000000), ref: 009F5A6B
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BA3
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BB0
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BBD
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BC8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Process$CurrentWow64memcpy
                                                                            • String ID: Data$SOFTWARE\Classes\CLSID\$\MiscStatus\1${d07606c8-6532-4d75-a46d-f5f5ac6ef74a}
                                                                            • API String ID: 1661744430-531586979
                                                                            • Opcode ID: b4eb78a50773ea8ab6db6d4c188386b5cee80f666ad71acf7ed8a7b592ffb6db
                                                                            • Instruction ID: 103d9c9770e2870463c1f8661d22f5fb05ddfc685cb8654f4ffb693eac8ad620
                                                                            • Opcode Fuzzy Hash: b4eb78a50773ea8ab6db6d4c188386b5cee80f666ad71acf7ed8a7b592ffb6db
                                                                            • Instruction Fuzzy Hash: DEC19E70A04248DFEB08DFA8E984BAEBBB5FF01304F600559E5169B2D2C775ED45CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5FD0 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1324 9f5fd0-9f600e 1325 9f6014-9f6026 1324->1325 1326 9f6010-9f6012 1324->1326 1327 9f603b-9f6047 1325->1327 1328 9f6028-9f6034 1325->1328 1326->1327 1330 9f604d-9f6052 1327->1330 1331 9f6049-9f604b 1327->1331 1328->1327 1329 9f6036 1328->1329 1329->1327 1333 9f605a-9f6061 1330->1333 1334 9f6054 ?_Xbad_alloc@std@@YAXXZ 1330->1334 1332 9f60b7-9f60bc 1331->1332 1335 9f60be-9f60c2 1332->1335 1336 9f60db-9f60e1 1332->1336 1337 9f6084-9f6085 call a05b51 1333->1337 1338 9f6063-9f6068 1333->1338 1334->1333 1342 9f60c8 1335->1342 1343 9f60c4-9f60c6 1335->1343 1339 9f60ec-9f60fe 1336->1339 1340 9f60e3-9f60e7 call 9f5b30 1336->1340 1350 9f608a-9f608f 1337->1350 1344 9f606a ?_Xbad_alloc@std@@YAXXZ 1338->1344 1345 9f6070-9f6082 call a05b51 1338->1345 1348 9f6104 1339->1348 1349 9f6100-9f6102 1339->1349 1340->1339 1351 9f60ca-9f60cc 1342->1351 1343->1351 1344->1345 1345->1332 1353 9f6106-9f611a 1348->1353 1349->1353 1350->1332 1351->1336 1354 9f60ce-9f60d8 memcpy 1351->1354 1355 9f611e-9f6135 1353->1355 1356 9f611c 1353->1356 1354->1336 1356->1355
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(6D285D9C,?,?,?), ref: 009F6054
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(6D285D9C,?,?,?), ref: 009F606A
                                                                            • new.LIBCMT ref: 009F6071
                                                                            • new.LIBCMT ref: 009F6085
                                                                              • Part of subcall function 00A05B51: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,009F608A,?,6D285D9C,?,?,?), ref: 00A05B78
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F60D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$mallocmemcpy
                                                                            • String ID:
                                                                            • API String ID: 2729666953-0
                                                                            • Opcode ID: 99ca14db8cea5bd6823b2b7d685e6b19559ceb83729a81767601cd14f91dedb4
                                                                            • Instruction ID: 66b8a78edb57c526d2c0f875a04b1dd50e8e22b561955e0f3c32e28f1c2c01e7
                                                                            • Opcode Fuzzy Hash: 99ca14db8cea5bd6823b2b7d685e6b19559ceb83729a81767601cd14f91dedb4
                                                                            • Instruction Fuzzy Hash: C041F6B1A04708DBCB24DF29D98163AB7F8EB45350F244B2DE552C7290EB35E905CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5B30 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1357 9f5b30-9f5b3e 1358 9f5b46-9f5b4d 1357->1358 1359 9f5b40 _invalid_parameter_noinfo_noreturn 1357->1359 1360 9f5b4f-9f5b52 1358->1360 1361 9f5b81-9f5b82 call a05dec 1358->1361 1359->1358 1363 9f5b5a-9f5b5f 1360->1363 1364 9f5b54 _invalid_parameter_noinfo_noreturn 1360->1364 1365 9f5b87-9f5b8b 1361->1365 1366 9f5b67-9f5b6c 1363->1366 1367 9f5b61 _invalid_parameter_noinfo_noreturn 1363->1367 1364->1363 1368 9f5b6e _invalid_parameter_noinfo_noreturn 1366->1368 1369 9f5b74-9f5b77 1366->1369 1367->1366 1368->1369 1370 9f5b7f 1369->1370 1371 9f5b79 _invalid_parameter_noinfo_noreturn 1369->1371 1370->1361 1371->1370
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B40
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B54
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B61
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B6E
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B79
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 9e526c331d57989d8cb7ba1347be959191b09cc182b5b50e1f0e674e7cc4d3ee
                                                                            • Instruction ID: f0196f82a02279ef1a801d8d9f63407d6c95f642ac8ba0a7cdb5795d1df49b34
                                                                            • Opcode Fuzzy Hash: 9e526c331d57989d8cb7ba1347be959191b09cc182b5b50e1f0e674e7cc4d3ee
                                                                            • Instruction Fuzzy Hash: 03F0123051060E4BD708FBB4E96D5FD779D9B18317B150526EB17C2270DA2798D28A1A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1372 9f5460-9f546c 1373 9f546e-9f5474 1372->1373 1374 9f54b6-9f54c2 1372->1374 1377 9f547a 1373->1377 1378 9f5476-9f5478 1373->1378 1375 9f54cf-9f54d5 1374->1375 1376 9f54c4-9f54c9 ?_Xlength_error@std@@YAXPBD@Z 1374->1376 1379 9f54db-9f54e1 1375->1379 1380 9f5574-9f557a 1375->1380 1376->1375 1381 9f547c-9f547e 1377->1381 1378->1381 1382 9f54ee-9f54f1 1379->1382 1383 9f54e3-9f54e8 ?_Xlength_error@std@@YAXPBD@Z 1379->1383 1381->1374 1384 9f5480-9f5483 1381->1384 1385 9f550d-9f550f 1382->1385 1386 9f54f3-9f54f7 call 9f5fd0 1382->1386 1383->1382 1387 9f5489 1384->1387 1388 9f5485-9f5487 1384->1388 1391 9f5503-9f5507 1385->1391 1392 9f5511-9f5518 1385->1392 1393 9f54fc-9f5501 1386->1393 1390 9f548b-9f5493 1387->1390 1388->1390 1390->1374 1394 9f5495-9f5498 1390->1394 1395 9f5509-9f550b 1391->1395 1396 9f5538 1391->1396 1397 9f552a-9f5535 1392->1397 1398 9f551a-9f5527 1392->1398 1393->1380 1393->1391 1400 9f549e 1394->1400 1401 9f549a-9f549c 1394->1401 1399 9f553a-9f553c 1395->1399 1396->1399 1402 9f553e-9f554f memcpy 1399->1402 1403 9f5552-9f5559 1399->1403 1404 9f54a0-9f54b3 call 9f5d10 1400->1404 1401->1404 1402->1403 1405 9f556c-9f5570 1403->1405 1406 9f555b-9f5569 1403->1406 1405->1380
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,00000040,?,00A00CD7,\MiscStatus\1,0000000D,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F54C9
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,00000058,00000040,?,00A00CD7,\MiscStatus\1,0000000D,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F54E8
                                                                            • memcpy.VCRUNTIME140(?,00000017,?,00000000,00000058,00000040,?,00A00CD7,\MiscStatus\1,0000000D,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\), ref: 009F554A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$memcpy
                                                                            • String ID: string too long
                                                                            • API String ID: 44297128-2556327735
                                                                            • Opcode ID: ecb0869319492ab20f921f0198ca45c27870376e28be07a032ccae9a39edda72
                                                                            • Instruction ID: d9f393e2a1baff181de3f93145eb69880f95fb76e7b0c43a8a7cb5f871eb9495
                                                                            • Opcode Fuzzy Hash: ecb0869319492ab20f921f0198ca45c27870376e28be07a032ccae9a39edda72
                                                                            • Instruction Fuzzy Hash: 2231D632305B099B8734DE5CF88087AF3AAFF95712322492EF386C7660D731D8558BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F29D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1409 9f29d0-9f29eb ShellExecuteW 1410 9f29ed-9fd402 1409->1410 1411 9f2a05 1409->1411 1414 9fd405-9fd40a 1410->1414 1414->1414 1415 9fd40c-9fd459 call 9f5620 call 9f5720 call 9f5840 FindFirstFileA 1414->1415 1422 9fd45f-9fd465 1415->1422 1423 9fd5a5 1415->1423 1424 9fd470-9fd477 1422->1424 1425 9fd5a7-9fd5ad 1423->1425 1426 9fd47d-9fd54f call 9f6430 call 9f63e0 1424->1426 1427 9fd573-9fd580 FindNextFileA 1424->1427 1428 9fd5af-9fd5b4 call 9f5b90 1425->1428 1429 9fd5b9-9fd5d1 1425->1429 1449 9fd566-9fd56e call 9fd020 1426->1449 1450 9fd551-9fd559 call 9fd380 1426->1450 1427->1424 1430 9fd586-9fd598 FindClose GetLastError 1427->1430 1428->1429 1433 9fd5dd-9fd5f5 1429->1433 1434 9fd5d3-9fd5d8 call 9f5b90 1429->1434 1430->1425 1437 9fd59a-9fd5a0 call 9fcff0 1430->1437 1435 9fd5f7-9fd5fc call 9f5b90 1433->1435 1436 9fd601-9fd61e call a05b3b 1433->1436 1434->1433 1435->1436 1437->1423 1449->1427 1450->1449
                                                                            APIs
                                                                            • ShellExecuteW.SHELL32(00000000,00000000,main_installer.exe,?,00000000,00000000), ref: 009F29DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShell
                                                                            • String ID: .$\*.*$main_installer.exe
                                                                            • API String ID: 587946157-3509626255
                                                                            • Opcode ID: aca6a7f77ebdc1e4065394ebfba0c4aa388c10b7bf978415383a03db72b72bfc
                                                                            • Instruction ID: e709060296ab7f156ae0efda1a82b608a2839e106954c7375fac4956013f2626
                                                                            • Opcode Fuzzy Hash: aca6a7f77ebdc1e4065394ebfba0c4aa388c10b7bf978415383a03db72b72bfc
                                                                            • Instruction Fuzzy Hash: 1FD0C730789308EBE725C7809C56B783276F358741F505518F316294D0D7F42841C659
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F4650 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1453 9f4650-9f4682 GetDC GdipCreateFromHDC 1454 9f4689 1453->1454 1455 9f4684-9f4687 1453->1455 1456 9f468b-9f46a7 GdipDrawImageI GdipDeleteGraphics call a05b3b 1454->1456 1455->1456 1458 9f46ac-9f46af 1456->1458
                                                                            APIs
                                                                            • GetDC.USER32 ref: 009F4668
                                                                            • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 009F467A
                                                                            • GdipDrawImageI.GDIPLUS(00000000,00000000,00000000,00000000), ref: 009F4694
                                                                            • GdipDeleteGraphics.GDIPLUS(00000000), ref: 009F469B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$CreateDeleteDrawFromGraphicsImage
                                                                            • String ID:
                                                                            • API String ID: 926577726-0
                                                                            • Opcode ID: 806989a911655d7d249ba4f0dfe7c61a6e9d21c39f69f34b3911846243b653ad
                                                                            • Instruction ID: 293028e47ff9384c000f8a189ca6c5e5ba4e71de1ffef77b4061897eb5267e52
                                                                            • Opcode Fuzzy Hash: 806989a911655d7d249ba4f0dfe7c61a6e9d21c39f69f34b3911846243b653ad
                                                                            • Instruction Fuzzy Hash: BFF06D3590171CABDB10DBE4ED49BAEBBBCEF19701F014188F901A7240DA346E028B96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD0A0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,750292F0,?,?,?,009F2BBF), ref: 009FD0AA
                                                                            • new.LIBCMT ref: 009FD0BB
                                                                              • Part of subcall function 00A05B51: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,009F608A,?,6D285D9C,?,?,?), ref: 00A05B78
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: fopenmalloc
                                                                            • String ID:
                                                                            • API String ID: 1458608084-0
                                                                            • Opcode ID: bd512d35405c3567d8fd2cbbec72d18273d4a006ecf54c333901b8a9c6c57a2b
                                                                            • Instruction ID: 9d6b7dc1941a459f7ac882eb4ad16d9a77176c1d43a9a7d336aa3d248c679417
                                                                            • Opcode Fuzzy Hash: bd512d35405c3567d8fd2cbbec72d18273d4a006ecf54c333901b8a9c6c57a2b
                                                                            • Instruction Fuzzy Hash: DF01D431A4E20C56D7249B2898093B2FBDE9F52324F28429EDD4C4B301E6B38883C7D2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F2920 Relevance: 3.0, APIs: 2, Instructions: 43memorywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GdipAlloc.GDIPLUS(00000010), ref: 009F2936
                                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 009F295A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                                            • String ID:
                                                                            • API String ID: 1915507550-0
                                                                            • Opcode ID: 5c02d94d057191b7ea1df2b3a1f3f62594ca3b4e6ca1134988b97922a8be27da
                                                                            • Instruction ID: 279a319cbdbc81f856192ac872dc58ab0e3564e63be4a8732ba66e136b64ad8f
                                                                            • Opcode Fuzzy Hash: 5c02d94d057191b7ea1df2b3a1f3f62594ca3b4e6ca1134988b97922a8be27da
                                                                            • Instruction Fuzzy Hash: 97018635E0070C9BC710DFB9E9556AEFBF8EF5A710F5142AEE84997340EB7069818781
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD020 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,00000000,00000000,009FD573), ref: 009FD025
                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 009FD039
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: FileMoveremove
                                                                            • String ID:
                                                                            • API String ID: 1863355238-0
                                                                            • Opcode ID: 67a4d058ce8a4c85ef34558b7163bf99ae15a2058227ce55c2e5ce27b7966156
                                                                            • Instruction ID: a20c099e8b719fd631bca341ef49803e744fdd2dd3fde94d63660f3bf42892c1
                                                                            • Opcode Fuzzy Hash: 67a4d058ce8a4c85ef34558b7163bf99ae15a2058227ce55c2e5ce27b7966156
                                                                            • Instruction Fuzzy Hash: AFD05E3274222417E63016697C09FBB969C8BE2F71F190136FA04D6260EA988C435192
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FCFF0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RemoveDirectoryA.KERNELBASE(?,00000000,009FD5A5), ref: 009FCFF4
                                                                            • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 009FD002
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryFileMoveRemove
                                                                            • String ID:
                                                                            • API String ID: 2107220919-0
                                                                            • Opcode ID: 2b5415335420c5f4f4f8e4d08ca9cc22b48712fe545fe14f72e2ac57e1a306e0
                                                                            • Instruction ID: 8764f318b5ecd7495acec7e33083d2c6da8a24734b3756987420d693e9e5a966
                                                                            • Opcode Fuzzy Hash: 2b5415335420c5f4f4f8e4d08ca9cc22b48712fe545fe14f72e2ac57e1a306e0
                                                                            • Instruction Fuzzy Hash: 68D0C9712062289BE6316FA9BC08BAA229C9F2A725F050165E600D5050EBA4894346A6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A014C0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002A,00000000,?), ref: 00A014F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: FolderPathSpecial
                                                                            • String ID:
                                                                            • API String ID: 994120019-0
                                                                            • Opcode ID: e73509efa6b92122bfe691b3cb6a77c22797de3330bbfbf393c037197aee7474
                                                                            • Instruction ID: 03eb9175b8ea3072eeeeba17967c175c99bdcee9f816dd07698f239291900f5a
                                                                            • Opcode Fuzzy Hash: e73509efa6b92122bfe691b3cb6a77c22797de3330bbfbf393c037197aee7474
                                                                            • Instruction Fuzzy Hash: 0301B170A0431C9BDB24DF24DC057EABBB4AB16314F0002DDE4865B280EBB52E898B81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FCF80 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,00000000), ref: 009FCFAA
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32
                                                                            • String ID:
                                                                            • API String ID: 3712039808-0
                                                                            • Opcode ID: 2154a3951c4a7ae634b6d61360a25445fd57e7ae01264996a73064ed7c7557de
                                                                            • Instruction ID: e8eaf84a3a076bcc9ae9d615bb289d7f229be5f6cf3d7a486d6f25a8196e048e
                                                                            • Opcode Fuzzy Hash: 2154a3951c4a7ae634b6d61360a25445fd57e7ae01264996a73064ed7c7557de
                                                                            • Instruction Fuzzy Hash: C7F09036A1511C9B8B00EFF8E9415FEB7B9DF5D200B4041AAED0A97251EE315F068BD5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD2D0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?), ref: 009FD2E7
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: fseek
                                                                            • String ID:
                                                                            • API String ID: 623662203-0
                                                                            • Opcode ID: 17560b4c9da9b637b2729d33a6d8ab0b744ed23941be29464203c5204e9786e2
                                                                            • Instruction ID: 5ad77e748db628b4e0b7b1fd7eaae9c4b8f146a530007b51d865fd9d0a302ccc
                                                                            • Opcode Fuzzy Hash: 17560b4c9da9b637b2729d33a6d8ab0b744ed23941be29464203c5204e9786e2
                                                                            • Instruction Fuzzy Hash: E8D0A9336A020C7BCF00AFF8AC01CA27B9CAB327047008022F918C6401E232E03AA791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD1C0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?), ref: 009FD1D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: fgets
                                                                            • String ID:
                                                                            • API String ID: 3135385589-0
                                                                            • Opcode ID: 4fecdb28036dbe23af20f2f546b163d89f48963625de55354fe112ee026275c9
                                                                            • Instruction ID: 9086fdb09a64b74acfcc867e130a90c782017e32f0b00c3bd223a91838737ba2
                                                                            • Opcode Fuzzy Hash: 4fecdb28036dbe23af20f2f546b163d89f48963625de55354fe112ee026275c9
                                                                            • Instruction Fuzzy Hash: 6DD0123224020C6BCB109F94EC00C677B9DAB74754700C011F90C89121D233E976D791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD170 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 009FD17B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: fclose
                                                                            • String ID:
                                                                            • API String ID: 3125558077-0
                                                                            • Opcode ID: ff533ff083fb0bfdecd98efe8a88579492991cfcd5fc56163915efb76f817f51
                                                                            • Instruction ID: fb3aa07b6e95a4131385583afad57aa48127175fb83698d1ae27c0ae9485e92a
                                                                            • Opcode Fuzzy Hash: ff533ff083fb0bfdecd98efe8a88579492991cfcd5fc56163915efb76f817f51
                                                                            • Instruction Fuzzy Hash: 76C08CB060531047DB30CB18B80874332DC5F00B08F044429E40AC7200CA70E862879A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FD2B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 009FD2BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: ftell
                                                                            • String ID:
                                                                            • API String ID: 4150084136-0
                                                                            • Opcode ID: 98f6af2f6b072226b6b87da4e73b829347ecb7a96c652c78f3a820a28a486419
                                                                            • Instruction ID: 8835d6d125df61898f7c4b3bd8445012aa7ace7544bbbfc859943e785f31c771
                                                                            • Opcode Fuzzy Hash: 98f6af2f6b072226b6b87da4e73b829347ecb7a96c652c78f3a820a28a486419
                                                                            • Instruction Fuzzy Hash: 1AB09278A0020457DA108B78AC0855A3A5D7E52B293D887A4B539C50E1E3AAD4178686
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00A02B50 Relevance: 77.3, APIs: 30, Strings: 14, Instructions: 266servicesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 009F27D0: new.LIBCMT ref: 009F2802
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,750292F0,?,00000000), ref: 00A02BA2
                                                                            • OpenServiceA.ADVAPI32(00000000,?,00000026), ref: 00A02BCE
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000), ref: 00A02C31
                                                                            • GetTickCount.KERNEL32 ref: 00A02C3D
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 00A02C4F
                                                                            • Sleep.KERNEL32(?,?), ref: 00A02CA4
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?), ref: 00A02CB7
                                                                            • GetTickCount.KERNEL32 ref: 00A02CDF
                                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 00A02D09
                                                                            • Sleep.KERNEL32(?), ref: 00A02D2A
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 00A02D39
                                                                            • GetTickCount.KERNEL32 ref: 00A02D51
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02D6D
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 00A02D70
                                                                            • GetLastError.KERNEL32(?,?), ref: 00A02D8E
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02DB1
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02DB4
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02DD7
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 00A02DDA
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02DFD
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 00A02E00
                                                                            • GetLastError.KERNEL32 ref: 00A02E26
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02E46
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02E49
                                                                            • GetLastError.KERNEL32 ref: 00A02E58
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02E79
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A02E96
                                                                            • GetLastError.KERNEL32 ref: 00A02E9A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$CountQueryStatusTick$OpenSleep$ChangeConfig2ControlManager
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::stopService$Can't find service$ControlService failed (%d)$OpenSCManager failed (%d)$OpenService [%s] failed (%d)$QueryServiceStatusEx 1 failed (%d)$QueryServiceStatusEx 2 failed (%d)$QueryServiceStatusEx 3 failed (%d)$Service stop timed out.$Service stopped successfully.$Wait timed out$stealth_manager
                                                                            • API String ID: 656698291-246199290
                                                                            • Opcode ID: 4d4a41bc79d780b4b43a1e3b2ab334995b46e81f6de34c4de6756c88cd6d4f36
                                                                            • Instruction ID: 36534059d253c69bb17928b24d6a765754b845336e7b45f9845d3c0dc24429f5
                                                                            • Opcode Fuzzy Hash: 4d4a41bc79d780b4b43a1e3b2ab334995b46e81f6de34c4de6756c88cd6d4f36
                                                                            • Instruction Fuzzy Hash: 90918071A8031CEBDB10EF94EC4ABEE7B78FF54701F100815F905A61D1D7B4A9968BA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F9B90 Relevance: 56.3, APIs: 23, Strings: 9, Instructions: 280COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32(00000008,6D285D9C,?,00000000,00000000), ref: 009F9BDE
                                                                            • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,00000000), ref: 009F9BE5
                                                                            • GetLastError.KERNEL32(?,00000000,00000000), ref: 009F9BEF
                                                                              • Part of subcall function 009F2740: new.LIBCMT ref: 009F2772
                                                                            • WTSQuerySessionInformationW.WTSAPI32(00000000,00000008,00000005,00000000,00000000,?,00000000,00000000), ref: 009F9C30
                                                                            • GetLastError.KERNEL32(?,00000000,00000000), ref: 009F9C3A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastProcessSession$CurrentInformationQuery
                                                                            • String ID: D$fail to get pid : %d$fail to get ss user : %d$fail to get ssid : %d$fail to open : %d$fail to open dup : %d$fail to open token : %d$fail to query session info : %d$fxstd::fxwshelper
                                                                            • API String ID: 3328655072-3779455580
                                                                            • Opcode ID: 3fc56c516eff1e8b2b2447548a008606852b2f264fcee08d4fe1b6b9495c651f
                                                                            • Instruction ID: 88c8dabfbaa850551bae687d3e0e5702bc7a26f4a18be33366d01aa66ff26cce
                                                                            • Opcode Fuzzy Hash: 3fc56c516eff1e8b2b2447548a008606852b2f264fcee08d4fe1b6b9495c651f
                                                                            • Instruction Fuzzy Hash: 26A18D71A0020CAFEB10EFA4DC46BBEBBB8FF58745F200119FA06E61A1E77569458B51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FBB30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000040,?,00000000), ref: 009FBB66
                                                                            • CreateEnvironmentBlock.USERENV(?,00000000,00000001,?,00000000), ref: 009FBB96
                                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 009FBBC5
                                                                            • DestroyEnvironmentBlock.USERENV(?), ref: 009FBBD5
                                                                            • CloseHandle.KERNEL32(?), ref: 009FBBEA
                                                                            • CloseHandle.KERNEL32(?), ref: 009FBBF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: BlockCloseCreateEnvironmentHandle$DestroyProcessUsermemset
                                                                            • String ID: D
                                                                            • API String ID: 2205774720-2746444292
                                                                            • Opcode ID: 98aaa4c8b6f8414f4fb1e1403cf8cac1c1690af9ee2f8b058ca0ba598bfb38f6
                                                                            • Instruction ID: 59ed7e51da3e4866ad966847d7776505eff2a1bc1660363f9ba4cb9ce6bfda71
                                                                            • Opcode Fuzzy Hash: 98aaa4c8b6f8414f4fb1e1403cf8cac1c1690af9ee2f8b058ca0ba598bfb38f6
                                                                            • Instruction Fuzzy Hash: 9E218F72A0030C6BDB14DBE4DC81FEE77B8EF48721F100229EA05AB284DA71A9468754
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A056F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000020,?,00A05679,00000000), ref: 00A0570D
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00A05714
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 00A0574D
                                                                            • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00A05780
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A05789
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 3038321057-2896544425
                                                                            • Opcode ID: 143e67cde8dc545c97f98a1fdced5f51e215fd4ce03a23bac04a8706cfde014b
                                                                            • Instruction ID: 71b4924b43478cfaea67ebdf02db5f668b00bb29a7516d57a4e053d9aabec8b2
                                                                            • Opcode Fuzzy Hash: 143e67cde8dc545c97f98a1fdced5f51e215fd4ce03a23bac04a8706cfde014b
                                                                            • Instruction Fuzzy Hash: 6B11C871D4030DAFEB10DFE0DD49BEEBBB8BF18700F104119E501B6280D7B55A459BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A0649D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 00A064B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor
                                                                            • String ID:
                                                                            • API String ID: 2325560087-3916222277
                                                                            • Opcode ID: 74ed9eb3e44802885f5e5184ce9d0fb82ad3b3ce78603e5ce409886d8a5a1ef2
                                                                            • Instruction ID: 5b491a4194fa34508feeea3b9a524cf21aa9ce7e86a74ad4a31de78a13b20be6
                                                                            • Opcode Fuzzy Hash: 74ed9eb3e44802885f5e5184ce9d0fb82ad3b3ce78603e5ce409886d8a5a1ef2
                                                                            • Instruction Fuzzy Hash: 1141AFB1D043098BDB18CFA9E88579EBBF4FB48314F10C52AD805E7294D371A951CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A067D9 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00A067E5,00A05EDC), ref: 00A067DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 42adc16307cb7b63505c46e8948db83d7454b098d74004f0bffe8b734e298129
                                                                            • Instruction ID: bbe5fee0cae08e89184503fb6acabe40d1bea75e255f856966a79a3c77fee289
                                                                            • Opcode Fuzzy Hash: 42adc16307cb7b63505c46e8948db83d7454b098d74004f0bffe8b734e298129
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F8F60 Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 266windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,00000002), ref: 009F8FC4
                                                                            • DefWindowProcW.USER32(?,00000020,?,?,6D285D9C), ref: 009F8FD9
                                                                            • CreateSolidBrush.GDI32(00333333), ref: 009F8FE9
                                                                            • GetClientRect.USER32(?,?), ref: 009F8FF6
                                                                            • FillRect.USER32(?,?,00000000), ref: 009F9002
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 009F9015
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009F9024
                                                                            • GetParent.USER32(?), ref: 009F902B
                                                                            • GetDesktopWindow.USER32 ref: 009F9035
                                                                            • GetWindowRect.USER32(00000000,?), ref: 009F9046
                                                                            • GetWindowRect.USER32(?,?), ref: 009F904D
                                                                            • CopyRect.USER32(?,?), ref: 009F9057
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F9073
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F9085
                                                                            • OffsetRect.USER32(?,?,?), ref: 009F9097
                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 009F90BA
                                                                            • GetDlgItem.USER32(?,00000542), ref: 009F90CC
                                                                            • GetDlgItem.USER32(?,00000543), ref: 009F90D6
                                                                            • GetDlgItem.USER32(?,00000540), ref: 009F90E2
                                                                            • GetDlgItem.USER32(?,00000541), ref: 009F90EF
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 009F9105
                                                                            • GetDlgItem.USER32(?,00000542), ref: 009F91DC
                                                                            • GetDlgItem.USER32(?,00000543), ref: 009F91E6
                                                                            • SetTextColor.GDI32(?,00FFFFFF), ref: 009F91FC
                                                                            • SetBkMode.GDI32(?,00000001), ref: 009F920A
                                                                            • GetStockObject.GDI32(00000005), ref: 009F9212
                                                                            Strings
                                                                            • Setup is not yet complete. If you cancel the setup now, your software will not be installed., xrefs: 009F9132
                                                                            • Cancel Setup, xrefs: 009F916D
                                                                            • To continue installing the program, click Resume. To quit the Setup program, click Exit., xrefs: 009F9157
                                                                            • Resume, xrefs: 009F918E
                                                                            • You may run the Setup program at a later time to complete the installation., xrefs: 009F9141
                                                                            • Exit, xrefs: 009F919B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: RectWindow$Item$LongOffset$BrushClientColorCopyCreateDesktopFillMessageModeObjectParentProcSendSolidStockText
                                                                            • String ID: Cancel Setup$Exit$Resume$Setup is not yet complete. If you cancel the setup now, your software will not be installed.$To continue installing the program, click Resume. To quit the Setup program, click Exit.$You may run the Setup program at a later time to complete the installation.
                                                                            • API String ID: 1032763113-3762990505
                                                                            • Opcode ID: 87db68c5598009cc7f1a48d6024ce161c2e1e4ee986da9311e6e7fa4199c9886
                                                                            • Instruction ID: 7050d2a8b1c6a7460b8bdfee65435e740a6c81a87d8e1d1dc8a0103b65f57287
                                                                            • Opcode Fuzzy Hash: 87db68c5598009cc7f1a48d6024ce161c2e1e4ee986da9311e6e7fa4199c9886
                                                                            • Instruction Fuzzy Hash: 37916A71A4021CBBDB10CBE8DC89FFE7B7CEB18711F104616F616A72D1CA74A9428B60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A04320 Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 187registrywindowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306,?,?,?,?,?,009F41F2), ref: 00A0433C
                                                                            • GetLastError.KERNEL32(?,?,?,?,009F41F2), ref: 00A04348
                                                                              • Part of subcall function 009F2740: new.LIBCMT ref: 009F2772
                                                                            • SetEvent.KERNEL32(00000000,?,?,?,?,009F41F2), ref: 00A04371
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,009F41F2), ref: 00A04378
                                                                            • RegisterWindowMessageW.USER32(UWM_END_WINDOW_MSG_86A92825_6B57_423E_AAB1_13C85778886F,?,?,?,?,009F41F2), ref: 00A04383
                                                                            • FindWindowW.USER32(W64StubClss_27b3f5cc,00000000), ref: 00A04392
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A043A5
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,APP_5491c4d3-0a5f-4898-bec4-cd906998e306,750292F0,?,?,?,?,?,?,009F41F2), ref: 00A043CC
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,009F41F2), ref: 00A043F1
                                                                            • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,009F41F2), ref: 00A043F8
                                                                            • RegGetValueW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{d07606c8-6532-4d75-a46d-f5f5ac6ef74a}\MiscStatus\1,PID,00000010,00000000,FFFFFFFF,?), ref: 00A04454
                                                                            • OpenProcess.KERNEL32(00000001,00000000,FFFFFFFF), ref: 00A04481
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A04490
                                                                            • GetLastError.KERNEL32 ref: 00A04498
                                                                            • CloseHandle.KERNEL32(?), ref: 00A044B5
                                                                            • GetWindowThreadProcessId.USER32(?,FFFFFFFF), ref: 00A044E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcessWindow$ErrorEventLastMessageOpen$CreateFindMutexPostRegisterSleepTerminateThreadValue
                                                                            • String ID: APP_5491c4d3-0a5f-4898-bec4-cd906998e306$Cannot create mutex. The process might have been dead, Error %d. break$Get reg value: %d, pid: %d$Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306$Open process error: %d$PID$SOFTWARE\Classes\CLSID\{d07606c8-6532-4d75-a46d-f5f5ac6ef74a}\MiscStatus\1$The process is still running, continue waiting$UWM_END_WINDOW_MSG_86A92825_6B57_423E_AAB1_13C85778886F$W64StubClss_27b3f5cc$Waiting for process to die$cannot initialized app exit event (%d)$terminate 2 result: %d, err: %d$terminate 2, err: %d$terminate result: %d, err: %d$uninstall_util
                                                                            • API String ID: 736561401-2473979389
                                                                            • Opcode ID: 3140a6d7ca8ac2e87b270bb22894ee4fb3daba24e9451a492384e5416acbb6e1
                                                                            • Instruction ID: fd0bb38320060716ddd16ff6bc9d196649eda6b40f7d3ad1609c9d434cf76b44
                                                                            • Opcode Fuzzy Hash: 3140a6d7ca8ac2e87b270bb22894ee4fb3daba24e9451a492384e5416acbb6e1
                                                                            • Instruction Fuzzy Hash: 2B517A75A8030D7FD710ABE4AC0AFEF7768FB58711F000554FA05A61D1DAB1A96287A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FAB80 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 386fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,6D285D9C,?,?,?,?,00A07678,000000FF), ref: 009FAC64
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,000000FF), ref: 009FAD2E
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00A11B2C,00A0A704), ref: 009FAD78
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000), ref: 009FADDC
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 009FADE3
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,000000FF), ref: 009FAE52
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00A11B2C,?,?,?,?,?,000000FF), ref: 009FAFB0
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 009FAFD1
                                                                            • _wsplitpath_s.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,00000000,00000000,00000000,?,00000104,?,00000100), ref: 009FAFFE
                                                                            • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000105,?), ref: 009FB017
                                                                            • GetCurrentProcessId.KERNEL32(DEBUG,?), ref: 009FB08E
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000,?,?,?,?,?,?,?,?,?), ref: 009FB0F4
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 009FB0FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: File_stat64i32fclosefopenfwrite$AttributesCurrentModuleNameProcess_wsplitpath_swcscat_s
                                                                            • String ID: %s Continue on next file -->$%s %s [%d] <%s> [%s]: %s$DEBUG$ERROR$windows_hook_helper$windows_hook_manager
                                                                            • API String ID: 3352214153-4226532283
                                                                            • Opcode ID: b37b318307de708a243b74625ed502f744753ce7b7800de4d0c327b508f3874d
                                                                            • Instruction ID: b9c91d4e85ddb3abed0d4011d9ebdec2b55485af8635614dd73737a5f17fa65f
                                                                            • Opcode Fuzzy Hash: b37b318307de708a243b74625ed502f744753ce7b7800de4d0c327b508f3874d
                                                                            • Instruction Fuzzy Hash: DCF1BF7191421CDBCB24EF54CC95BFAB7B9AF14301F4401DAE60AA7182DB719E85CF62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FB930 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00A046B0: memset.VCRUNTIME140(?,00000000,00000228,6D285D9C,?,00000000), ref: 00A0472B
                                                                              • Part of subcall function 00A046B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A04741
                                                                              • Part of subcall function 00A046B0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A0475E
                                                                              • Part of subcall function 009F5B30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B40
                                                                              • Part of subcall function 009F5B30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B54
                                                                              • Part of subcall function 009F5B30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B61
                                                                              • Part of subcall function 009F5B30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B6E
                                                                              • Part of subcall function 009F5B30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009F60EC,?,?,?), ref: 009F5B79
                                                                            • ProcessIdToSessionId.KERNEL32(?,?,winlogon.exe,0000000C,6D285D9C,?,00000000), ref: 009FBA01
                                                                            • OpenProcess.KERNEL32(00000440,00000000,?,winlogon.exe,0000000C,6D285D9C,?,00000000), ref: 009FBA2F
                                                                            • OpenProcessToken.ADVAPI32(00000000,0000000B,?), ref: 009FBA55
                                                                            • DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000001,00000001,00000000), ref: 009FBA71
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009FBA84
                                                                            • GetLastError.KERNEL32 ref: 009FBA8C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009FBAA8
                                                                            • GetLastError.KERNEL32 ref: 009FBAB0
                                                                              • Part of subcall function 009F2740: new.LIBCMT ref: 009F2772
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009FBACA
                                                                            • GetLastError.KERNEL32 ref: 009FBB07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorHandleLastProcess$OpenToken$CreateDuplicateFirstProcess32SessionSnapshotToolhelp32memset
                                                                            • String ID: dup fail: %d$launcher$no wlo process$open token: %d$open wlo: %d$winlogon.exe
                                                                            • API String ID: 2588391989-2633422826
                                                                            • Opcode ID: daa64ef10e361f998371250946a96065634bedfb6407dbb70ced615ca84a0b3f
                                                                            • Instruction ID: 07d745cf35046f1677121f879206fd899da3accd586fea8cca70c3424c2bbafc
                                                                            • Opcode Fuzzy Hash: daa64ef10e361f998371250946a96065634bedfb6407dbb70ced615ca84a0b3f
                                                                            • Instruction Fuzzy Hash: FE5136B5E4421DABDB10EFE5DC45BEEBBB8FF18700F200515FA01A6290E774A9418BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FA280 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 373COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position), ref: 009FA298
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?), ref: 009FA2B2
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?), ref: 009FA2F3
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?), ref: 009FA31A
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?), ref: 009FA37D
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?), ref: 009FA3D5
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?), ref: 009FA40C
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?), ref: 009FA449
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?), ref: 009FA48C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$Xlength_error@std@@Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 2456977010-4289949731
                                                                            • Opcode ID: 8041127c39b1fd28b93d4e64d75f6ded8aad153d271571c1a43983b3f05131c8
                                                                            • Instruction ID: 3b20e13eec9086e34907fa59a0c8ab37ccdc81da90a8d3fed9acb6bbc9d76177
                                                                            • Opcode Fuzzy Hash: 8041127c39b1fd28b93d4e64d75f6ded8aad153d271571c1a43983b3f05131c8
                                                                            • Instruction Fuzzy Hash: 6DE12CB160020EDFCB24CF58D9C48AEB7B6FF947057244929E94ACB210DB74E956CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F9780 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 009F97C8
                                                                            • GetLastError.KERNEL32 ref: 009F97D2
                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 009F97E1
                                                                            • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,?,?,00000000), ref: 009F97FD
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 009F9808
                                                                            • memset.VCRUNTIME140(?,00000000,00000202), ref: 009F9834
                                                                            • memset.VCRUNTIME140(?,00000000,00000202,?,00000000,00000202), ref: 009F9848
                                                                            • LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 009F9870
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,?,00000000,75922EE0,00000000), ref: 009F98EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: InformationTokenfreememset$AccountErrorLastLookupmalloc
                                                                            • String ID: fxstd::fxwshelper$lookup
                                                                            • API String ID: 2804162339-3573435284
                                                                            • Opcode ID: eb1e9bd4e09790ffdd84af6cf199e0db8e798f7f88316d8f5fe25f6491f430bb
                                                                            • Instruction ID: 908eaab1a565404a21f2b069b0837b2371f4dea923fc84ff431d1cd2a9a4ca37
                                                                            • Opcode Fuzzy Hash: eb1e9bd4e09790ffdd84af6cf199e0db8e798f7f88316d8f5fe25f6491f430bb
                                                                            • Instruction Fuzzy Hash: F4418F72508308AFD720EFA4DC85FABB7ECEF89754F404929F649C2151DB3099458B92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F9910 Relevance: 16.7, APIs: 11, Instructions: 184processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000228,6D285D9C,00000002,00000000,00000000), ref: 009F995C
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009F9971
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 009F998E
                                                                            • ProcessIdToSessionId.KERNEL32(?,00000007), ref: 009F99DA
                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 009F99FE
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 009F9A22
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009F9A2D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009F9A51
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009F9A58
                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 009F9B0B
                                                                            • CloseHandle.KERNEL32(?), ref: 009F9B5D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle$Process$OpenProcess32$CreateFirstNextSessionSnapshotTokenToolhelp32memset
                                                                            • String ID:
                                                                            • API String ID: 4042258717-0
                                                                            • Opcode ID: 6f12429dfb03ac75326080b05d8c2c93c8839904797c487ff50d9f4b6c37e386
                                                                            • Instruction ID: 3efedb1911403a7afc3433c0847151e684c1b3458b20334822ac66453b708f4f
                                                                            • Opcode Fuzzy Hash: 6f12429dfb03ac75326080b05d8c2c93c8839904797c487ff50d9f4b6c37e386
                                                                            • Instruction Fuzzy Hash: AC617E7190421D9FDF10DFA4DC89BBEBBB8FF48308F2041A9E519A7250DB749E068B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F66A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFontW.GDI32(00000012,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F66C9
                                                                            • CreateFontW.GDI32(00000024,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F66F2
                                                                            • CreateFontW.GDI32(00000015,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F671B
                                                                            • CreateFontW.GDI32(00000017,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F6744
                                                                            • CreateFontW.GDI32(00000014,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F676D
                                                                            • CreateFontW.GDI32(00000013,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F6796
                                                                            • CreateFontW.GDI32(00000020,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F67BF
                                                                            • CreateFontW.GDI32(00000014,00000000,00000000,00000000,00000320,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Calibri), ref: 009F67E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFont
                                                                            • String ID: Calibri
                                                                            • API String ID: 1830492434-1409258342
                                                                            • Opcode ID: 0c9ed3b22ba045bc108782b6c9649edfd112a233d674cfedc2647189d92e04b8
                                                                            • Instruction ID: 3af3fff1a136e493611c0c4ddd204f24ea395590c6cc65a2c240e04fba090379
                                                                            • Opcode Fuzzy Hash: 0c9ed3b22ba045bc108782b6c9649edfd112a233d674cfedc2647189d92e04b8
                                                                            • Instruction Fuzzy Hash: 62215E70BC4718BAF730DBA56E0BF8A2E60A710F50F31581AB3187E2D1D6E574019A8D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F4C80 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 009F27D0: new.LIBCMT ref: 009F2802
                                                                            • CloseHandle.KERNEL32(00000000), ref: 009F4D50
                                                                            • ShellExecuteW.SHELL32(00000000,open,iexplore.exe,?,00000000,00000001), ref: 009F4D74
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: CloseExecuteHandleShell
                                                                            • String ID: %s enter {$%s exit }$antivirus_detector$cmd.exe$iexplore.exe$open$openUrl
                                                                            • API String ID: 283469938-2367522800
                                                                            • Opcode ID: fd0cf41fd31133a728615882add349c64497de97a5d8dd5cc7af7a970c3ca994
                                                                            • Instruction ID: 2b6d2e37caca5ec74914e53582e07f5ffeaad0aedd0806a9f653e1c0fe34f75d
                                                                            • Opcode Fuzzy Hash: fd0cf41fd31133a728615882add349c64497de97a5d8dd5cc7af7a970c3ca994
                                                                            • Instruction Fuzzy Hash: 5241C170A0430CEFDF04DFA4D906BBE7BB4FB05708F104519F915AA2C1D7B5AA058BA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F2B00 Relevance: 15.3, APIs: 10, Instructions: 297stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,00A0A5E1,00000000,6D285D9C), ref: 009F2B7D
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009F2BAC
                                                                              • Part of subcall function 009FD0A0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,750292F0,?,?,?,009F2BBF), ref: 009FD0AA
                                                                              • Part of subcall function 009FD0A0: new.LIBCMT ref: 009FD0BB
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 009F2BE9
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 009F2D7A
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618), ref: 009F2DAA
                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 009F2DBA
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618), ref: 009F2DCB
                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 009F2DD5
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00A0A618), ref: 009F2DE6
                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 009F2DF0
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: atoistrtok$_stat64i32memset$fopen
                                                                            • String ID:
                                                                            • API String ID: 2401252192-0
                                                                            • Opcode ID: 3a5acc173f536f4e6d795f56c6b84fd79d059610247df5fe57c1f38a45162806
                                                                            • Instruction ID: 0121f1cc2bab734ec503b9fa38bfdc9e2ed44738073d8c6c1cc20772dcd86ab2
                                                                            • Opcode Fuzzy Hash: 3a5acc173f536f4e6d795f56c6b84fd79d059610247df5fe57c1f38a45162806
                                                                            • Instruction Fuzzy Hash: 44B1B070E0024C9FEF04DFA8D845BFEBBB9EF45304F644158E915AB282D775AA05CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FA060 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position), ref: 009FA0D1
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long), ref: 009FA0F6
                                                                            • memcpy.VCRUNTIME140(?,?,?), ref: 009FA14B
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long), ref: 009FA17C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$Xout_of_range@std@@memcpy
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 369118076-4289949731
                                                                            • Opcode ID: d6d712b65605aa03b124af00d361c5383572bb6c144c8d0c1e11bcfd05a5a763
                                                                            • Instruction ID: 665427f239efd0732fedb8b1133527b48358213a80c5ff5273a46d9a7be7b526
                                                                            • Opcode Fuzzy Hash: d6d712b65605aa03b124af00d361c5383572bb6c144c8d0c1e11bcfd05a5a763
                                                                            • Instruction Fuzzy Hash: 9D71517170420D9FCB24CF5CE8808BAB7BAFF99311B14492EEA5AC7250DB31D955CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A05650 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,00000000,?,?,00A050EB,00000000,?), ref: 00A0567E
                                                                            • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 00A0569F
                                                                            • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 00A056B9
                                                                            • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 00A056D3
                                                                            Strings
                                                                            • NtQueryInformationProcess, xrefs: 00A056CD
                                                                            • ntdll.dll, xrefs: 00A05679
                                                                            • NtWow64ReadVirtualMemory64, xrefs: 00A056B3
                                                                            • NtWow64QueryInformationProcess64, xrefs: 00A05699
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NtQueryInformationProcess$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                                            • API String ID: 667068680-1418883184
                                                                            • Opcode ID: 5d34e082b8526e359a9eb54c7227a0b9636f418823754d59e9a1dfd449d4d7e7
                                                                            • Instruction ID: 5e5196a42403158ca07655f77a7dd30ad72f167429add4814f792548e30f6704
                                                                            • Opcode Fuzzy Hash: 5d34e082b8526e359a9eb54c7227a0b9636f418823754d59e9a1dfd449d4d7e7
                                                                            • Instruction Fuzzy Hash: 3301B530D45B1DAACB21DBB5BC447DB72A8EB50362F585826D000950E0FF768983CFE5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A045C0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 25sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\KNIT_NFS_EXIT_CD1DF70D-8191-4840-B884-76C2620B8ED3,?,009F41F7), ref: 00A045CC
                                                                            • GetLastError.KERNEL32 ref: 00A045D8
                                                                              • Part of subcall function 009F2740: new.LIBCMT ref: 009F2772
                                                                            • SetEvent.KERNEL32(00000000), ref: 00A045F4
                                                                            • Sleep.KERNEL32(000001F4), ref: 00A045FF
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A04606
                                                                            Strings
                                                                            • uninstall_util, xrefs: 00A045E4
                                                                            • cannot initialize network exit event (%d), xrefs: 00A045DF
                                                                            • Global\KNIT_NFS_EXIT_CD1DF70D-8191-4840-B884-76C2620B8ED3, xrefs: 00A045C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateErrorHandleLastSleep
                                                                            • String ID: Global\KNIT_NFS_EXIT_CD1DF70D-8191-4840-B884-76C2620B8ED3$cannot initialize network exit event (%d)$uninstall_util
                                                                            • API String ID: 3653494817-796478995
                                                                            • Opcode ID: d98fb4573a0e7ff0188515b87bbe10abdd4a71ac671f02472721dfb99b67e256
                                                                            • Instruction ID: a64d72048a9dde335677fdb5d77db48395256bb17f9b03a1861549a61718bd89
                                                                            • Opcode Fuzzy Hash: d98fb4573a0e7ff0188515b87bbe10abdd4a71ac671f02472721dfb99b67e256
                                                                            • Instruction Fuzzy Hash: F8E086725C13257FD661B7E47C0FFDE3A14BF28B52F000200F601540D0869058D347A7
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A04570 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 25sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a,?,009F41ED), ref: 00A0457C
                                                                            • GetLastError.KERNEL32 ref: 00A04588
                                                                              • Part of subcall function 009F2740: new.LIBCMT ref: 009F2772
                                                                            • SetEvent.KERNEL32(00000000), ref: 00A045A4
                                                                            • Sleep.KERNEL32(000001F4), ref: 00A045AF
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A045B6
                                                                            Strings
                                                                            • Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a, xrefs: 00A04571
                                                                            • cannot initialized app exit event (%d), xrefs: 00A0458F
                                                                            • uninstall_util, xrefs: 00A04594
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateErrorHandleLastSleep
                                                                            • String ID: Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a$cannot initialized app exit event (%d)$uninstall_util
                                                                            • API String ID: 3653494817-1173659242
                                                                            • Opcode ID: 90eef08dc95be3e8208754676fbaa80d19ba811237e2c289cb5331f5efc8a26a
                                                                            • Instruction ID: 8c8de2631434255b4ea1eb294c76942fc4c4f717930925a8a63a079e9f9c6cd7
                                                                            • Opcode Fuzzy Hash: 90eef08dc95be3e8208754676fbaa80d19ba811237e2c289cb5331f5efc8a26a
                                                                            • Instruction Fuzzy Hash: 77E08C72AC1329BBD621B7E47C0FFDF3A15BB28B22F000200FA01940E08A94599387A3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F46B0 Relevance: 13.6, APIs: 9, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 009F46CF
                                                                            • GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 009F46E3
                                                                            • GdipGetImageHeight.GDIPLUS(?,00000000,?,?), ref: 009F4709
                                                                            • GetDC.USER32(?), ref: 009F4724
                                                                            • GdipCreateFromHDC.GDIPLUS(00000000,?,?,?), ref: 009F4736
                                                                            • GdipGetImageHeight.GDIPLUS(?,00000000,?,?), ref: 009F474A
                                                                            • GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 009F476B
                                                                            • GdipDrawImageRectI.GDIPLUS(00000000,?,?,?,00000000,?,?,?), ref: 009F4787
                                                                            • GdipDeleteGraphics.GDIPLUS(00000000,?,?), ref: 009F478E
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$Image$HeightRectWidth$CreateDeleteDrawFromGraphicsWindow
                                                                            • String ID:
                                                                            • API String ID: 2886385483-0
                                                                            • Opcode ID: d36351db512d4ca4d100c54eb74adda1f29311d7b02f635d52b3673df034e117
                                                                            • Instruction ID: ac015d7514903a79f39dc3c7aa2c2b5c2b45222fc127348391dc0bf386fe948f
                                                                            • Opcode Fuzzy Hash: d36351db512d4ca4d100c54eb74adda1f29311d7b02f635d52b3673df034e117
                                                                            • Instruction Fuzzy Hash: B931C27590030DAFDB10DFE8DD88AAEBBB8FB09300F108159E916A7250DB34A946CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A02AE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a,750292F0,?,?,009F41D1), ref: 00A02AF5
                                                                            • SetEvent.KERNEL32(00000000,?,009F41D1), ref: 00A02B02
                                                                            • CloseHandle.KERNEL32(00000000,?,009F41D1), ref: 00A02B09
                                                                            • GetLastError.KERNEL32(?,009F41D1), ref: 00A02B11
                                                                            Strings
                                                                            • Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a, xrefs: 00A02AE8
                                                                            • cannot initialized app exit event (%d), xrefs: 00A02B18
                                                                            • stealth_manager, xrefs: 00A02B1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateErrorHandleLast
                                                                            • String ID: Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a$cannot initialized app exit event (%d)$stealth_manager
                                                                            • API String ID: 2055590504-372883222
                                                                            • Opcode ID: a76beb034bff3ac3135115f8a62e37dfb44b48a6305bedc0c6b15551a4a2bf46
                                                                            • Instruction ID: abc14dd930f8075de3a270b2bf86c7090d6c3d52d5831b2395fbe3c02c00d60e
                                                                            • Opcode Fuzzy Hash: a76beb034bff3ac3135115f8a62e37dfb44b48a6305bedc0c6b15551a4a2bf46
                                                                            • Instruction Fuzzy Hash: 72F08232F8031873C11077A97C1FF9E3A1C9B56B12F040611FD059A1D2E995995243E3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F68C0 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(310A0DBA), ref: 009F68D1
                                                                            • DeleteObject.GDI32(4C0A0DAC), ref: 009F68E7
                                                                            • DeleteObject.GDI32(1F0A0D8A), ref: 009F68FD
                                                                            • DeleteObject.GDI32(F10A0D71), ref: 009F6913
                                                                            • DeleteObject.GDI32(090A0DB4), ref: 009F6929
                                                                            • DeleteObject.GDI32(0F0A0DA4), ref: 009F693F
                                                                            • DeleteObject.GDI32(5A0A0DAB), ref: 009F6955
                                                                            • DeleteObject.GDI32(500A0DA9), ref: 009F696B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 1531683806-0
                                                                            • Opcode ID: fa1dc4235d8c0b3a085553f20659eca364ce8809977de998bffb6851ecd7e1e2
                                                                            • Instruction ID: cfc62d0ba796bd2f64a40d3ac6611b513b19f017852d8d6f170b89d6077198cd
                                                                            • Opcode Fuzzy Hash: fa1dc4235d8c0b3a085553f20659eca364ce8809977de998bffb6851ecd7e1e2
                                                                            • Instruction Fuzzy Hash: CA112EB0B14B199BDB10DFBDED44B9A3BFCAB10740F04905AA514D7290DBB8D8428BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A058B6 Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _com_issue_error.COMSUPP ref: 00A058D4
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,009F25D5,?,00000000,00000000,?,00A0639C,00A15098,000000FE,?,009F25D5), ref: 00A058E3
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00A0639C,00A15098,000000FE,?,009F25D5), ref: 00A058F6
                                                                            • GetLastError.KERNEL32(?,00A0639C,00A15098,000000FE,?,009F25D5), ref: 00A058FE
                                                                            • _com_issue_error.COMSUPP ref: 00A05911
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00A05917
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00A0639C,00A15098,000000FE,?,009F25D5), ref: 00A05928
                                                                            • _com_issue_error.COMSUPP ref: 00A05939
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _com_issue_error$free$AllocByteCharErrorLastMultiStringWide
                                                                            • String ID:
                                                                            • API String ID: 2419198754-0
                                                                            • Opcode ID: df74a5079b07d09b966773c4d027c3e12f67c4808f1cdde163fd8b79d17f2d84
                                                                            • Instruction ID: 5fef32fcd04d127ef7d9ef9a1871e0214edcabd0d969f0b3469cfc00a4b3093c
                                                                            • Opcode Fuzzy Hash: df74a5079b07d09b966773c4d027c3e12f67c4808f1cdde163fd8b79d17f2d84
                                                                            • Instruction Fuzzy Hash: 1D11E571F0061CEBDB20ABB4ED49B9F7768EF58360F000129F905B72C0D63998518BA6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5720 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F567F,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F573A
                                                                              • Part of subcall function 009F5F30: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,009F5793,00000000,?,?,?,?,?,009F567F,?,?,?), ref: 009F5F46
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F567F,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F575B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1960685668-4289949731
                                                                            • Opcode ID: f6791fbb6607448a758c99f60216b27a22ecc3d832c183d84bf162bdc6521439
                                                                            • Instruction ID: ca5f3e5f63cc042486368508a05a3979d1fc98fb606b9d066c7b37e0697583c4
                                                                            • Opcode Fuzzy Hash: f6791fbb6607448a758c99f60216b27a22ecc3d832c183d84bf162bdc6521439
                                                                            • Instruction Fuzzy Hash: B9319332304B18CBD720AE5CE840B6AF7A9EBA5B61F11092EE746C7241D771984187E5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F5290,?,?,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F535A
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F5290,?,?,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F537B
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,009F5290,?,?,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F53B5
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,009F5290,?,?,?,?,?,?,009F1132,1.3.1), ref: 009F541E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@$Xlength_error@std@@memcpy
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 3790025958-4289949731
                                                                            • Opcode ID: c5bfadf614208fb7bbfd9cbc18f80ee92d703a0ea58442a70656249837a53230
                                                                            • Instruction ID: 09b428e79eb4352b10d35a17a54a9b47dbd02fc1ad96e66529b83e0ff08ebcea
                                                                            • Opcode Fuzzy Hash: c5bfadf614208fb7bbfd9cbc18f80ee92d703a0ea58442a70656249837a53230
                                                                            • Instruction Fuzzy Hash: 18319332304B19DBC7249F5CE88082AF7E9FF947563120A2EE746C7250DBB19855CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5D10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000058,00000040,00000000,?,00A00CB8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F5D2A
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,00000040,00000000,?,00A00CB8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F5D4D
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,00000040,00000000,?,00A00CB8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F5D6B
                                                                            • memcpy.VCRUNTIME140(?,?,?,00000058,00000040,00000000,?,00A00CB8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 009F5DDB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$Xout_of_range@std@@memcpy
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 369118076-4289949731
                                                                            • Opcode ID: 5769ef65971bd32ebfea0c2f0d8b47d2f8e5b3b7c4e0b89531bb94150338b1b1
                                                                            • Instruction ID: eefbb76d26080a153df594955033428045f16424b9c42fac4b95dbb84ae2fb3a
                                                                            • Opcode Fuzzy Hash: 5769ef65971bd32ebfea0c2f0d8b47d2f8e5b3b7c4e0b89531bb94150338b1b1
                                                                            • Instruction Fuzzy Hash: 5D31A1323067099FCB28DF9CE88496AB3E9FF94711312092EE756C7290D731E915CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5960 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F597A
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F599D
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F59B8
                                                                            • memcpy.VCRUNTIME140(?,?,6D285D9C,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*), ref: 009F5A1F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$Xout_of_range@std@@memcpy
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 369118076-4289949731
                                                                            • Opcode ID: 00a2a64c771896a3f3b730ec4e6ebe26be0b85669b3e2a48b491b630aa6579ae
                                                                            • Instruction ID: 60b56e8474ffc9d052fd6e26fd9d650afb024977eb6b1e4258da702d00e4053e
                                                                            • Opcode Fuzzy Hash: 00a2a64c771896a3f3b730ec4e6ebe26be0b85669b3e2a48b491b630aa6579ae
                                                                            • Instruction Fuzzy Hash: 9C31C731300709DFDB28CF5CE880A2AB7A5EF95721B510A2EE756C7241C3B1DC5087A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F9F30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,?,?,00000000), ref: 009F9F52
                                                                            • WTSFreeMemory.WTSAPI32(?), ref: 009F9F79
                                                                            • GetLastError.KERNEL32 ref: 009F9F95
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: EnumerateErrorFreeLastMemorySessions
                                                                            • String ID: CANNOT FIND REAL SESSION # GOT : %d$GET SESSION ERROR : %d$fxstd::fxwshelper
                                                                            • API String ID: 1558365644-4019733835
                                                                            • Opcode ID: 6015e21f734dc8b33a40033d4e5e24dc084ff14f3d7a8783418a119bd1338cd1
                                                                            • Instruction ID: a887f58d22ca7bc8ea8e714a95cac17c427a06cacbaccd2fb95f2a29a2e507d2
                                                                            • Opcode Fuzzy Hash: 6015e21f734dc8b33a40033d4e5e24dc084ff14f3d7a8783418a119bd1338cd1
                                                                            • Instruction Fuzzy Hash: 25118231B4520CBBCB04EBA89C46BFE776CEF45761F104268FA16E72D4DA316D468781
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FB1C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,6D285D9C,00000000,?), ref: 009FB204
                                                                            • _wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,00000000,000000FF), ref: 009FB353
                                                                            • wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104), ref: 009FB368
                                                                            • rename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 009FB3D9
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BA3
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BB0
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BBD
                                                                              • Part of subcall function 009F5B90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BC8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$_stat64i32_wstat64i32renamewcsnlen
                                                                            • String ID: _%d
                                                                            • API String ID: 1077365053-982369593
                                                                            • Opcode ID: 34dc672bd31cbdb63800dbd931e150c2cf9896a34e55b174cf95aff40fca1b61
                                                                            • Instruction ID: 8654c5dc8bfba3ea24d7b6cb80b4c4e1d5a72c0ded155084cba766ab68902384
                                                                            • Opcode Fuzzy Hash: 34dc672bd31cbdb63800dbd931e150c2cf9896a34e55b174cf95aff40fca1b61
                                                                            • Instruction Fuzzy Hash: 7881387091422C9BDB24DF14CC99BEAB7B8FF14304F5006E9E519A21A1DB756F89CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F2610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 009F2639
                                                                              • Part of subcall function 00A05B51: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,009F608A,?,6D285D9C,?,?,?), ref: 00A05B78
                                                                            • SysAllocString.OLEAUT32(ROOT\SecurityCenter2), ref: 009F2672
                                                                            • _com_issue_error.COMSUPP ref: 009F2683
                                                                            • _com_issue_error.COMSUPP ref: 009F269C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _com_issue_error$AllocStringmalloc
                                                                            • String ID: ROOT\SecurityCenter2
                                                                            • API String ID: 2559737271-2110076786
                                                                            • Opcode ID: 57955bdfbaeef092bd91ad75d3a6c7e88d30ff93756ff8f7ad16b94304b29f94
                                                                            • Instruction ID: 0d579022c248905b8858fcc9160bd80af6908cabae741a7a53698a54c63221d2
                                                                            • Opcode Fuzzy Hash: 57955bdfbaeef092bd91ad75d3a6c7e88d30ff93756ff8f7ad16b94304b29f94
                                                                            • Instruction Fuzzy Hash: 78118E72D0175AEBD3208F64D905B5AB7E8EB54B20F20471BE954A7380E7B5A8408B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FC040 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,009FBFD9,?,?,?,?,009FBF28,?), ref: 009FC05C
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,009FBFD9,?,?,?,?,009FBF28,?), ref: 009FC077
                                                                            • new.LIBCMT ref: 009FC07E
                                                                            • memcpy.VCRUNTIME140(00000000,?,?), ref: 009FC0A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$memcpy
                                                                            • String ID:
                                                                            • API String ID: 3627194217-0
                                                                            • Opcode ID: 936b88a34ea859faffac7972405a5aa3b8cf57053c5cb9eac49ee28af03b6801
                                                                            • Instruction ID: 3698249952dd050c0d2bbafdf2c3d6b8319b12b39e1e98c725a84d56fafd9e82
                                                                            • Opcode Fuzzy Hash: 936b88a34ea859faffac7972405a5aa3b8cf57053c5cb9eac49ee28af03b6801
                                                                            • Instruction Fuzzy Hash: 8111A2B190060AAFCB18DF68DA8197AB768FB44300B144629EA09C3250EB31E916CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FB6A0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FB56C,?), ref: 009FB6B0
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FB56C,?), ref: 009FB6C8
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FB56C,?), ref: 009FB6D5
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FB56C,?), ref: 009FB6E2
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FB56C,?), ref: 009FB6ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 767965a82a1a82f17270d2a7105855317e02898934f18ec931dbf94b755eddb7
                                                                            • Instruction ID: ca23e66e4e699c1d59f81a97da30d5415f5cba62d1486084bb8fcad79de1f8e8
                                                                            • Opcode Fuzzy Hash: 767965a82a1a82f17270d2a7105855317e02898934f18ec931dbf94b755eddb7
                                                                            • Instruction Fuzzy Hash: 65F0543051020E4BD704FFA8D5AC6FD77A9AB1C321B000036EA07C5120DB27E8C28F16
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F95F0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A04ED7,?,?,?,?,?,?,?,00000000,000000FF,?), ref: 009F9600
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A04ED7,?,?,?,?,?,?,?,00000000,000000FF,?), ref: 009F9615
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A04ED7,?,?,?,?,?,?,?,00000000,000000FF,?), ref: 009F9622
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A04ED7,?,?,?,?,?,?,?,00000000,000000FF,?), ref: 009F962F
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00A04ED7,?,?,?,?,?,?,?,00000000,000000FF,?), ref: 009F963A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 473a2853cf6050de9f09c1b6689e85741a273d29db5c210d922b88be30b997f7
                                                                            • Instruction ID: 2eae384d41adb5b40571d1aed165bff5f7887cd64017936a1e9bf04a9e9469ee
                                                                            • Opcode Fuzzy Hash: 473a2853cf6050de9f09c1b6689e85741a273d29db5c210d922b88be30b997f7
                                                                            • Instruction Fuzzy Hash: 15F0123050020E4BDB08FBF4AAAD6FD776D9B68355B104436EA17C6260D62798C28E16
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FBFE0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FBD97,?,?,?,?,?,00A07800,000000FF,?,009FBCEB), ref: 009FBFF0
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FBD97,?,?,?,?,?,00A07800,000000FF,?,009FBCEB), ref: 009FC005
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FBD97,?,?,?,?,?,00A07800,000000FF,?,009FBCEB), ref: 009FC012
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FBD97,?,?,?,?,?,00A07800,000000FF,?,009FBCEB), ref: 009FC01F
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,009FBD97,?,?,?,?,?,00A07800,000000FF,?,009FBCEB), ref: 009FC02A
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 9654db17919e5df934c63b615ebd8d5644b0d550e37fac0144e9b3836862a981
                                                                            • Instruction ID: fd02dcdc366b698bf5f7f78912e1ac1cc477dbc1762c59b8ae901a93d58e112f
                                                                            • Opcode Fuzzy Hash: 9654db17919e5df934c63b615ebd8d5644b0d550e37fac0144e9b3836862a981
                                                                            • Instruction Fuzzy Hash: BEF0827051020E8BDB18FBA4AA6C5FE775D9B18351B144526EA17C1260DE279CC78B1A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5840 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00A17720,?,009FD43B,\*.*,00000004,00000000,00000000,000000FF,00A17720,00A17721,6D285D9C), ref: 009F58B8
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000,00000000,000000FF,00A17720,00A17721,6D285D9C), ref: 009F58D4
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000,00000000,000000FF,00A17720,00A17721,6D285D9C), ref: 009F592E
                                                                              • Part of subcall function 009F5960: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F597A
                                                                              • Part of subcall function 009F5960: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F599D
                                                                              • Part of subcall function 009F5960: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*,00000004,00000000), ref: 009F59B8
                                                                              • Part of subcall function 009F5960: memcpy.VCRUNTIME140(?,?,6D285D9C,?,00000000,?,?,009F589F,00000000,?,?,?,00A17720,?,009FD43B,\*.*), ref: 009F5A1F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$memcpy$Xout_of_range@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 2402964757-2556327735
                                                                            • Opcode ID: 4634359977161afa41947e50aea945f8f4e66574e55ae40645a22d4972329eb0
                                                                            • Instruction ID: 6ec458cc4c2cb7017dcd89073ba286e1f4c635ef56e8a058517287590c97e0cc
                                                                            • Opcode Fuzzy Hash: 4634359977161afa41947e50aea945f8f4e66574e55ae40645a22d4972329eb0
                                                                            • Instruction Fuzzy Hash: 69312A32300B09DBEB289E5CE88093AF3E9EF95761B61492EE396C7640C3719C4487A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FCDC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,009FC184,?,?,?,?,?,?,00000000,00000000), ref: 009FCDD4
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,009FC184,?,?,?,?,?,?,00000000,00000000), ref: 009FCDE4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: a403c4808a90debb66c225d9d86819422fe3b0f6f8fb7c934a9c2c210d73f633
                                                                            • Instruction ID: 095b2e8c5bcbb1238e3fad855ad51513b7179297102f0ecc478ff1bb325601d7
                                                                            • Opcode Fuzzy Hash: a403c4808a90debb66c225d9d86819422fe3b0f6f8fb7c934a9c2c210d73f633
                                                                            • Instruction Fuzzy Hash: 3321D67230035C9BC7315E5CA50067ABBB9EBA6721F10891EE69687291C7729805C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A04F20 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000240,00000000,?), ref: 00A04FA3
                                                                            • ReadProcessMemory.KERNEL32(?,00000000,?,00000240,?,00000000,?), ref: 00A04FDA
                                                                            • memset.VCRUNTIME140(?,00000000,00000294), ref: 00A04FF2
                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000294,?), ref: 00A05025
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessReadmemset
                                                                            • String ID:
                                                                            • API String ID: 1858673621-0
                                                                            • Opcode ID: d5947f74ef3baba6217e00664e3d9320bfb07acb771c957401afd538ca2ca66e
                                                                            • Instruction ID: 29e9b2690de8cb46318a5b9b5a5e29cb6de14714ed839fee426219b10b4f81dc
                                                                            • Opcode Fuzzy Hash: d5947f74ef3baba6217e00664e3d9320bfb07acb771c957401afd538ca2ca66e
                                                                            • Instruction Fuzzy Hash: 33415071E0060DAEDB20DFA5ED85BAFB7B8EF48340F540569F505A72C1EB70AA458F90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F6170 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(6D285D9C,?,?,?), ref: 009F61F8
                                                                            • new.LIBCMT ref: 009F61FF
                                                                            • new.LIBCMT ref: 009F6213
                                                                            • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F625F
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@memcpy
                                                                            • String ID:
                                                                            • API String ID: 4293406529-0
                                                                            • Opcode ID: 70c491d89aa360e87b7c8cdb0ebda073a3bd76b630e3f4638991f28b64407dd0
                                                                            • Instruction ID: d3f4687e8424e33e391aa352c82fba4ce0f1b870734d66f930fde2ab578d7f29
                                                                            • Opcode Fuzzy Hash: 70c491d89aa360e87b7c8cdb0ebda073a3bd76b630e3f4638991f28b64407dd0
                                                                            • Instruction Fuzzy Hash: 9931BD71A047099FDB24CF68D980BBAB7E8EB45750F500B2DE962C7381E775E904CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A04DE0 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(6D285D9C,?,?,?,00000000,000000FF,?,?,?,00000000), ref: 00A04E1F
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(6D285D9C,?,?,?,00000000,000000FF,?,?,?,00000000), ref: 00A04E36
                                                                            • new.LIBCMT ref: 00A04E3D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 522755d779715c3d41badba75626a0b769f6371731260d1299d461a495b46a91
                                                                            • Instruction ID: 55f2c298947406b32ced983374a4d281bbbea5107c95572677b414973f1d8b14
                                                                            • Opcode Fuzzy Hash: 522755d779715c3d41badba75626a0b769f6371731260d1299d461a495b46a91
                                                                            • Instruction Fuzzy Hash: 7D31C7B2E005099FCB18DF68ED817AEBBB5FB98700F154169E915EB394E730E901C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F6330 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,00A04D0B,?,00000000,?,?,00A05410,?,6D285D9C,00000000,?,00000000,?,00A08608,000000FF), ref: 009F6349
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,00A04D0B,?,00000000,?,?,00A05410,?,6D285D9C,00000000,?,00000000,?,00A08608,000000FF), ref: 009F635F
                                                                            • new.LIBCMT ref: 009F6366
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: d334bd19de9a250b594fb6ff54cfa261ca56bf0595d25779471450c32a05eceb
                                                                            • Instruction ID: 5643cbc19cd5c98edbbc3b12ff458d90ae9f075e66e76f8084d8c182572e9b93
                                                                            • Opcode Fuzzy Hash: d334bd19de9a250b594fb6ff54cfa261ca56bf0595d25779471450c32a05eceb
                                                                            • Instruction Fuzzy Hash: FDF082B2E043084BDB1CEBB8B956A2B769C9B24354714023AF22AC7190F662E854C759
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5B90 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BA3
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BB0
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BBD
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009F5BC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 793a552dd69a3d05df72d1d5cdf14a9c2cba8c6ba6f479f13babc02380c6f9c9
                                                                            • Instruction ID: 4577db057f63b863d017a01e90db0158cf2c690aedf1ce53e8cab7b93b22a3d2
                                                                            • Opcode Fuzzy Hash: 793a552dd69a3d05df72d1d5cdf14a9c2cba8c6ba6f479f13babc02380c6f9c9
                                                                            • Instruction Fuzzy Hash: 2FE09230500B0E9BD704FBE4AA6D4BD775DAB24312B404032FB06C5220E636E892CF2A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5620 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F5693
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F56E7
                                                                              • Part of subcall function 009F5720: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F567F,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F573A
                                                                              • Part of subcall function 009F5720: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,009F567F,?,?,?,?,?,?,009F11F1,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,00000040), ref: 009F575B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@$Xlength_error@std@@memcpy
                                                                            • String ID: string too long
                                                                            • API String ID: 3790025958-2556327735
                                                                            • Opcode ID: 1b94b752eaacd0d1d134235c2b81b009b296434298ffb6c2a86360790d7c1ca6
                                                                            • Instruction ID: 3ac20eb9bbd07fa590395940447f38041a1d76b00485f286a08d4a7f515e4555
                                                                            • Opcode Fuzzy Hash: 1b94b752eaacd0d1d134235c2b81b009b296434298ffb6c2a86360790d7c1ca6
                                                                            • Instruction Fuzzy Hash: 4B312B32300B189BD7309E5CE88093AF7E9EFA1725BA1492BF7A1C7640C7719C448BE4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F52A7
                                                                            • memcpy.VCRUNTIME140(?,?,00000000,?,?,?,?,009F1132,1.3.1,00000005), ref: 009F5302
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memcpy
                                                                            • String ID: string too long
                                                                            • API String ID: 237780522-2556327735
                                                                            • Opcode ID: 9913e587b284e72680b195d9135158dc80bf7d5f35a027e1701ff61d50c4855f
                                                                            • Instruction ID: cf7e78bd7d121186fd446d8a4f45c6152857fbde71d84684ce617101781af7d3
                                                                            • Opcode Fuzzy Hash: 9913e587b284e72680b195d9135158dc80bf7d5f35a027e1701ff61d50c4855f
                                                                            • Instruction Fuzzy Hash: 1F31C632304F199B86249E9CE8808BEF3E9FF957613220A2FE356C7250D721A804C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FC440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,6D285D9C), ref: 009FC4DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: $invalid string position
                                                                            • API String ID: 1960685668-3618421887
                                                                            • Opcode ID: 681bd63b3ef2cd5868bf7f5a334d0253a5948d59f58eb1873b26444ac81722c9
                                                                            • Instruction ID: 43e3c90bdee955fb1d809dbe0a60ae638dea3a4f50f2a3f3e04c9780553e9d4f
                                                                            • Opcode Fuzzy Hash: 681bd63b3ef2cd5868bf7f5a334d0253a5948d59f58eb1873b26444ac81722c9
                                                                            • Instruction Fuzzy Hash: AC31E6B061460C9FDB28DF28CA5977EBBF5EB44710F504A1DF162872C1C774A945CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009FCB20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,009FC284,?,?,?,?,?,?,00000000,00000000), ref: 009FCB34
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,?,009FC284,?,?,?,?,?,?,00000000,00000000), ref: 009FCB47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: 79e2ec9fa1907f001e16701963772c1ca684b76c9ca54fb18964fccc2b94fb1e
                                                                            • Instruction ID: df340a61e5a8018137044bb44ca50647117400fddb68ffa63f04bd498546f518
                                                                            • Opcode Fuzzy Hash: 79e2ec9fa1907f001e16701963772c1ca684b76c9ca54fb18964fccc2b94fb1e
                                                                            • Instruction Fuzzy Hash: 9521F47931431C97CB245F68E98147AF3A8FF697223208A2FE786C7750D6319814CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A013B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryA.KERNEL32(00000040,00000104,6D285D9C), ref: 00A01405
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryWindows
                                                                            • String ID: \sysnative$\system32
                                                                            • API String ID: 3619848164-3725051112
                                                                            • Opcode ID: 9a64f997d6ce51394bab50ce247f73bea65dc1d881abf50b7298b463c8c8810e
                                                                            • Instruction ID: 070dfb8eee8a447731bb00c9f0586b11270d79f0bf69a0e17cc9770930253eef
                                                                            • Opcode Fuzzy Hash: 9a64f997d6ce51394bab50ce247f73bea65dc1d881abf50b7298b463c8c8810e
                                                                            • Instruction Fuzzy Hash: A421A0B0A0475CAFDB24CF14D805BEABBB4FB05B14F00469EE5465B6C1C7B55A49CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5C60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,?,?,009F539F,00000000,?,?,?,?,?,009F5290,?,?,?), ref: 009F5C76
                                                                            Strings
                                                                            • invalid string position, xrefs: 009F5C71
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position
                                                                            • API String ID: 1960685668-1799206989
                                                                            • Opcode ID: f199740268c9cabdb6dd304875af845525723796afc19ac20c5de61cdf7a32be
                                                                            • Instruction ID: 482da8dcade58e0de79abc4fb12775a5b9186e597520f0a8505fac25a9e44655
                                                                            • Opcode Fuzzy Hash: f199740268c9cabdb6dd304875af845525723796afc19ac20c5de61cdf7a32be
                                                                            • Instruction Fuzzy Hash: F11181323147199B9724AF6CE84486AB7E9FFE4712302453FE786C7620EB70D918C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,009F64D8,?,00000001,6D285D9C,00000000), ref: 009F5E94
                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,009F64D8,?,00000001,6D285D9C), ref: 009F5EDA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memcpy
                                                                            • String ID: string too long
                                                                            • API String ID: 237780522-2556327735
                                                                            • Opcode ID: 5c624744a5f8085c0bf75e27c040b62110cb217e907abcf0b2c0d6f936da69ef
                                                                            • Instruction ID: f8696906e359466e7f6760b14f2c841661295c87c640a6ed53f250841ccaf5ad
                                                                            • Opcode Fuzzy Hash: 5c624744a5f8085c0bf75e27c040b62110cb217e907abcf0b2c0d6f936da69ef
                                                                            • Instruction Fuzzy Hash: F511DD32500B095BD7319E58D84077BB7A9EF91320F064D2DEB9587281C7719944CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F5F30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,009F5793,00000000,?,?,?,?,?,009F567F,?,?,?), ref: 009F5F46
                                                                            Strings
                                                                            • invalid string position, xrefs: 009F5F41
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position
                                                                            • API String ID: 1960685668-1799206989
                                                                            • Opcode ID: 8b0730b89904c617d473579fc64d91797f6b47730119218b0af722c77eb6ea9d
                                                                            • Instruction ID: 19905f2e0c2efeb0d644e97c7e45244a829412745d2ae157254cf963b88a8964
                                                                            • Opcode Fuzzy Hash: 8b0730b89904c617d473579fc64d91797f6b47730119218b0af722c77eb6ea9d
                                                                            • Instruction Fuzzy Hash: 0311D0323007198FD7209E5CE840A66FBA8EBA1712B16497FF781CB251D7B1D805C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A04CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,00000000,?,?,00A05410,?,6D285D9C,00000000,?,00000000,?,00A08608,000000FF), ref: 00A04CFF
                                                                            • memset.VCRUNTIME140(?,00000000,?,?,00000000,?,?,00A05410,?,6D285D9C,00000000,?,00000000,?,00A08608,000000FF), ref: 00A04D1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memset
                                                                            • String ID: vector<T> too long
                                                                            • API String ID: 1527646195-3788999226
                                                                            • Opcode ID: 51959296db5adad6b298d6b49e17b6dfc36ba2f73a35edc9957ab286a3d7e01b
                                                                            • Instruction ID: 7d0216ccaf1b045745660cee7e0c3621c8a232351c4de486f2c7065ecddfcc0c
                                                                            • Opcode Fuzzy Hash: 51959296db5adad6b298d6b49e17b6dfc36ba2f73a35edc9957ab286a3d7e01b
                                                                            • Instruction Fuzzy Hash: 08F0B4B2A01226BBD3009F48EC01786F7E8BF58710F208226FA18D3280E7B198208BD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 009F2860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.4457964049.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009F0000, based on PE: true
                                                                            • Associated: 00000002.00000002.4457902913.00000000009F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458029501.0000000000A0A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458102268.0000000000A17000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000002.00000002.4458168905.0000000000A1A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_9f0000_antivirus_detector.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$DisposeFreeImage
                                                                            • String ID: vQs
                                                                            • API String ID: 1950503971-294607111
                                                                            • Opcode ID: 1849b232644c1c92a90738dc83f0f65e408ed995ac6f7077d8205d1f4e8c7dbc
                                                                            • Instruction ID: f1b2fadd9daadc7860cf8337eb8344756d6bf5ca95046840ae82fc97d719e7fe
                                                                            • Opcode Fuzzy Hash: 1849b232644c1c92a90738dc83f0f65e408ed995ac6f7077d8205d1f4e8c7dbc
                                                                            • Instruction Fuzzy Hash: DBE0867630032C57D6215BC8BC05AEAB79CDF26BA5B004036FB44A6300D672A82297E7
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:20.3%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:1279
                                                                            Total number of Limit Nodes:28
                                                                            execution_graph 3438 401d41 3439 401d54 GetDlgItem 3438->3439 3440 401d47 3438->3440 3442 401d4e 3439->3442 3441 402b0a 17 API calls 3440->3441 3441->3442 3443 401d8f GetClientRect LoadImageA SendMessageA 3442->3443 3444 402b2c 17 API calls 3442->3444 3446 4029b8 3443->3446 3447 401deb 3443->3447 3444->3443 3447->3446 3448 401df3 DeleteObject 3447->3448 3448->3446 3000 401746 3001 402b2c 17 API calls 3000->3001 3002 40174d 3001->3002 3006 405bd8 3002->3006 3004 401754 3005 405bd8 2 API calls 3004->3005 3005->3004 3007 405be3 GetTickCount GetTempFileNameA 3006->3007 3008 405c10 3007->3008 3009 405c14 3007->3009 3008->3007 3008->3009 3009->3004 3449 401947 3450 402b2c 17 API calls 3449->3450 3451 40194e lstrlenA 3450->3451 3452 4025e4 3451->3452 3453 401fc8 3454 402b2c 17 API calls 3453->3454 3455 401fcf 3454->3455 3456 4063a8 5 API calls 3455->3456 3457 401fde 3456->3457 3458 401ff6 GlobalAlloc 3457->3458 3459 40205e 3457->3459 3458->3459 3460 40200a 3458->3460 3461 4063a8 5 API calls 3460->3461 3462 402011 3461->3462 3463 4063a8 5 API calls 3462->3463 3464 40201b 3463->3464 3464->3459 3468 405f6e wsprintfA 3464->3468 3466 402052 3469 405f6e wsprintfA 3466->3469 3468->3466 3469->3459 3470 4025c8 3471 402b2c 17 API calls 3470->3471 3472 4025cf 3471->3472 3475 405ba9 GetFileAttributesA CreateFileA 3472->3475 3474 4025db 3475->3474 3476 403bca 3477 403be2 3476->3477 3478 403d1d 3476->3478 3477->3478 3479 403bee 3477->3479 3480 403d6e 3478->3480 3481 403d2e GetDlgItem GetDlgItem 3478->3481 3482 403bf9 SetWindowPos 3479->3482 3483 403c0c 3479->3483 3485 403dc8 3480->3485 3493 401389 2 API calls 3480->3493 3562 40409e 3481->3562 3482->3483 3487 403c11 ShowWindow 3483->3487 3488 403c29 3483->3488 3486 4040ea SendMessageA 3485->3486 3506 403d18 3485->3506 3514 403dda 3486->3514 3487->3488 3490 403c31 DestroyWindow 3488->3490 3491 403c4b 3488->3491 3489 403d58 SetClassLongA 3492 40140b 2 API calls 3489->3492 3544 404027 3490->3544 3494 403c50 SetWindowLongA 3491->3494 3495 403c61 3491->3495 3492->3480 3496 403da0 3493->3496 3494->3506 3500 403cd8 3495->3500 3501 403c6d GetDlgItem 3495->3501 3496->3485 3497 403da4 SendMessageA 3496->3497 3497->3506 3498 40140b 2 API calls 3498->3514 3499 404029 DestroyWindow EndDialog 3499->3544 3548 404105 3500->3548 3504 403c80 SendMessageA IsWindowEnabled 3501->3504 3505 403c9d 3501->3505 3503 404058 ShowWindow 3503->3506 3504->3505 3504->3506 3508 403caa 3505->3508 3509 403cf1 SendMessageA 3505->3509 3510 403cbd 3505->3510 3518 403ca2 3505->3518 3507 406032 17 API calls 3507->3514 3508->3509 3508->3518 3509->3500 3512 403cc5 3510->3512 3513 403cda 3510->3513 3515 40140b 2 API calls 3512->3515 3516 40140b 2 API calls 3513->3516 3514->3498 3514->3499 3514->3506 3514->3507 3517 40409e 18 API calls 3514->3517 3519 40409e 18 API calls 3514->3519 3535 403f69 DestroyWindow 3514->3535 3515->3518 3516->3518 3517->3514 3518->3500 3545 404077 3518->3545 3520 403e55 GetDlgItem 3519->3520 3521 403e72 ShowWindow EnableWindow 3520->3521 3522 403e6a 3520->3522 3565 4040c0 EnableWindow 3521->3565 3522->3521 3524 403e9c EnableWindow 3529 403eb0 3524->3529 3525 403eb5 GetSystemMenu EnableMenuItem SendMessageA 3526 403ee5 SendMessageA 3525->3526 3525->3529 3526->3529 3528 403bab 18 API calls 3528->3529 3529->3525 3529->3528 3566 4040d3 SendMessageA 3529->3566 3567 406010 lstrcpynA 3529->3567 3531 403f14 lstrlenA 3532 406032 17 API calls 3531->3532 3533 403f25 SetWindowTextA 3532->3533 3534 401389 2 API calls 3533->3534 3534->3514 3536 403f83 CreateDialogParamA 3535->3536 3535->3544 3537 403fb6 3536->3537 3536->3544 3538 40409e 18 API calls 3537->3538 3539 403fc1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3538->3539 3540 401389 2 API calls 3539->3540 3541 404007 3540->3541 3541->3506 3542 40400f ShowWindow 3541->3542 3543 4040ea SendMessageA 3542->3543 3543->3544 3544->3503 3544->3506 3546 404084 SendMessageA 3545->3546 3547 40407e 3545->3547 3546->3500 3547->3546 3549 4041c8 3548->3549 3550 40411d GetWindowLongA 3548->3550 3549->3506 3550->3549 3551 404132 3550->3551 3551->3549 3552 404162 3551->3552 3553 40415f GetSysColor 3551->3553 3554 404172 SetBkMode 3552->3554 3555 404168 SetTextColor 3552->3555 3553->3552 3556 404190 3554->3556 3557 40418a GetSysColor 3554->3557 3555->3554 3558 4041a1 3556->3558 3559 404197 SetBkColor 3556->3559 3557->3556 3558->3549 3560 4041b4 DeleteObject 3558->3560 3561 4041bb CreateBrushIndirect 3558->3561 3559->3558 3560->3561 3561->3549 3563 406032 17 API calls 3562->3563 3564 4040a9 SetDlgItemTextA 3563->3564 3564->3489 3565->3524 3566->3529 3567->3531 3571 40254c 3572 402b6c 17 API calls 3571->3572 3573 402556 3572->3573 3574 402b0a 17 API calls 3573->3574 3575 40255f 3574->3575 3576 402586 RegEnumValueA 3575->3576 3577 40257a RegEnumKeyA 3575->3577 3579 402783 3575->3579 3578 40259b RegCloseKey 3576->3578 3577->3578 3578->3579 2989 403753 2990 40376b 2989->2990 2991 40375d CloseHandle 2989->2991 2996 403798 2990->2996 2991->2990 2994 4057d8 67 API calls 2995 40377c 2994->2995 2997 4037a6 2996->2997 2998 403770 2997->2998 2999 4037ab FreeLibrary GlobalFree 2997->2999 2998->2994 2999->2998 2999->2999 3581 4041d4 lstrcpynA lstrlenA 3582 4014d6 3583 402b0a 17 API calls 3582->3583 3584 4014dc Sleep 3583->3584 3586 4029b8 3584->3586 3010 401759 3011 402b2c 17 API calls 3010->3011 3012 401760 3011->3012 3013 401786 3012->3013 3014 40177e 3012->3014 3070 406010 lstrcpynA 3013->3070 3069 406010 lstrcpynA 3014->3069 3017 401784 3021 40627a 5 API calls 3017->3021 3018 401791 3019 4059a8 3 API calls 3018->3019 3020 401797 lstrcatA 3019->3020 3020->3017 3031 4017a3 3021->3031 3022 406313 2 API calls 3022->3031 3023 405b84 2 API calls 3023->3031 3025 4017ba CompareFileTime 3025->3031 3026 40187e 3027 405137 24 API calls 3026->3027 3029 401888 3027->3029 3028 405137 24 API calls 3030 40186a 3028->3030 3049 402ffb 3029->3049 3031->3022 3031->3023 3031->3025 3031->3026 3035 406032 17 API calls 3031->3035 3038 406010 lstrcpynA 3031->3038 3047 401855 3031->3047 3048 405ba9 GetFileAttributesA CreateFileA 3031->3048 3071 40572c 3031->3071 3034 4018af SetFileTime 3036 4018c1 FindCloseChangeNotification 3034->3036 3035->3031 3036->3030 3037 4018d2 3036->3037 3039 4018d7 3037->3039 3040 4018ea 3037->3040 3038->3031 3042 406032 17 API calls 3039->3042 3041 406032 17 API calls 3040->3041 3043 4018f2 3041->3043 3045 4018df lstrcatA 3042->3045 3046 40572c MessageBoxIndirectA 3043->3046 3045->3043 3046->3030 3047->3028 3047->3030 3048->3031 3050 403011 3049->3050 3051 40303f 3050->3051 3078 403223 SetFilePointer 3050->3078 3075 40320d 3051->3075 3055 4031a6 3057 4031e8 3055->3057 3062 4031aa 3055->3062 3056 40305c GetTickCount 3058 40189b 3056->3058 3065 4030ab 3056->3065 3060 40320d ReadFile 3057->3060 3058->3034 3058->3036 3059 40320d ReadFile 3059->3065 3060->3058 3061 40320d ReadFile 3061->3062 3062->3058 3062->3061 3063 405c50 WriteFile 3062->3063 3063->3062 3064 403101 GetTickCount 3064->3065 3065->3058 3065->3059 3065->3064 3066 403126 MulDiv wsprintfA 3065->3066 3068 405c50 WriteFile 3065->3068 3067 405137 24 API calls 3066->3067 3067->3065 3068->3065 3069->3017 3070->3018 3074 405741 3071->3074 3072 40578d 3072->3031 3073 405755 MessageBoxIndirectA 3073->3072 3074->3072 3074->3073 3076 405c21 ReadFile 3075->3076 3077 40304a 3076->3077 3077->3055 3077->3056 3077->3058 3078->3051 3587 401659 3588 402b2c 17 API calls 3587->3588 3589 40165f 3588->3589 3590 406313 2 API calls 3589->3590 3591 401665 3590->3591 3592 401959 3593 402b0a 17 API calls 3592->3593 3594 401960 3593->3594 3595 402b0a 17 API calls 3594->3595 3596 40196d 3595->3596 3597 402b2c 17 API calls 3596->3597 3598 401984 lstrlenA 3597->3598 3600 401994 3598->3600 3599 4019d4 3600->3599 3604 406010 lstrcpynA 3600->3604 3602 4019c4 3602->3599 3603 4019c9 lstrlenA 3602->3603 3603->3599 3604->3602 3083 4024da 3094 402b6c 3083->3094 3086 402b2c 17 API calls 3087 4024ed 3086->3087 3088 4024f7 RegQueryValueExA 3087->3088 3093 402783 3087->3093 3089 40251d RegCloseKey 3088->3089 3090 402517 3088->3090 3089->3093 3090->3089 3099 405f6e wsprintfA 3090->3099 3095 402b2c 17 API calls 3094->3095 3096 402b83 3095->3096 3097 405e96 RegOpenKeyExA 3096->3097 3098 4024e4 3097->3098 3098->3086 3099->3089 3605 401cda 3606 402b0a 17 API calls 3605->3606 3607 401ce0 IsWindow 3606->3607 3608 401a0e 3607->3608 3609 402cdd 3610 402d05 3609->3610 3611 402cec SetTimer 3609->3611 3612 402d5a 3610->3612 3613 402d1f MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3610->3613 3611->3610 3613->3612 3614 401a5e 3615 402b0a 17 API calls 3614->3615 3616 401a67 3615->3616 3617 402b0a 17 API calls 3616->3617 3618 401a0e 3617->3618 3619 401563 3620 402960 3619->3620 3623 405f6e wsprintfA 3620->3623 3622 402965 3623->3622 3624 401b63 3625 401b70 3624->3625 3626 401bb4 3624->3626 3627 40233b 3625->3627 3633 401b87 3625->3633 3628 401bb8 3626->3628 3629 401bdd GlobalAlloc 3626->3629 3631 406032 17 API calls 3627->3631 3639 401bf8 3628->3639 3645 406010 lstrcpynA 3628->3645 3630 406032 17 API calls 3629->3630 3630->3639 3632 402348 3631->3632 3637 40572c MessageBoxIndirectA 3632->3637 3643 406010 lstrcpynA 3633->3643 3635 401bca GlobalFree 3635->3639 3637->3639 3638 401b96 3644 406010 lstrcpynA 3638->3644 3641 401ba5 3646 406010 lstrcpynA 3641->3646 3643->3638 3644->3641 3645->3635 3646->3639 3647 402363 3648 402371 3647->3648 3649 40236b 3647->3649 3650 402381 3648->3650 3652 402b2c 17 API calls 3648->3652 3651 402b2c 17 API calls 3649->3651 3653 40238f 3650->3653 3654 402b2c 17 API calls 3650->3654 3651->3648 3652->3650 3655 402b2c 17 API calls 3653->3655 3654->3653 3656 402398 WritePrivateProfileStringA 3655->3656 3657 402765 3658 402b2c 17 API calls 3657->3658 3659 40276c FindFirstFileA 3658->3659 3660 40278f 3659->3660 3661 40277f 3659->3661 3665 405f6e wsprintfA 3660->3665 3663 402796 3666 406010 lstrcpynA 3663->3666 3665->3663 3666->3661 3667 4023e8 3668 40241a 3667->3668 3669 4023ef 3667->3669 3671 402b2c 17 API calls 3668->3671 3670 402b6c 17 API calls 3669->3670 3672 4023f6 3670->3672 3673 402421 3671->3673 3675 402b2c 17 API calls 3672->3675 3676 40242e 3672->3676 3678 402bea 3673->3678 3677 402407 RegDeleteValueA RegCloseKey 3675->3677 3677->3676 3679 402bf6 3678->3679 3680 402bfd 3678->3680 3679->3676 3680->3679 3682 402c2e 3680->3682 3683 405e96 RegOpenKeyExA 3682->3683 3684 402c5c 3683->3684 3685 402c82 RegEnumKeyA 3684->3685 3686 402c99 RegCloseKey 3684->3686 3687 402cba RegCloseKey 3684->3687 3690 402c2e 6 API calls 3684->3690 3692 402cad 3684->3692 3685->3684 3685->3686 3688 4063a8 5 API calls 3686->3688 3687->3692 3689 402ca9 3688->3689 3691 402cca RegDeleteKeyA 3689->3691 3689->3692 3690->3684 3691->3692 3692->3679 3693 4044e9 3694 4044f9 3693->3694 3695 40451f 3693->3695 3696 40409e 18 API calls 3694->3696 3697 404105 8 API calls 3695->3697 3698 404506 SetDlgItemTextA 3696->3698 3699 40452b 3697->3699 3698->3695 3100 40206a 3101 40212a 3100->3101 3102 40207c 3100->3102 3104 401423 24 API calls 3101->3104 3103 402b2c 17 API calls 3102->3103 3105 402083 3103->3105 3111 4022a9 3104->3111 3106 402b2c 17 API calls 3105->3106 3107 40208c 3106->3107 3108 4020a1 LoadLibraryExA 3107->3108 3109 402094 GetModuleHandleA 3107->3109 3108->3101 3110 4020b1 GetProcAddress 3108->3110 3109->3108 3109->3110 3112 4020c0 3110->3112 3113 4020fd 3110->3113 3114 4020d0 3112->3114 3118 401423 3112->3118 3115 405137 24 API calls 3113->3115 3114->3111 3117 40211e FreeLibrary 3114->3117 3115->3114 3117->3111 3119 405137 24 API calls 3118->3119 3120 401431 3119->3120 3120->3114 3700 40166a 3701 402b2c 17 API calls 3700->3701 3702 401671 3701->3702 3703 402b2c 17 API calls 3702->3703 3704 40167a 3703->3704 3705 402b2c 17 API calls 3704->3705 3706 401683 MoveFileA 3705->3706 3707 401696 3706->3707 3708 40168f 3706->3708 3709 406313 2 API calls 3707->3709 3712 4022a9 3707->3712 3710 401423 24 API calls 3708->3710 3711 4016a5 3709->3711 3710->3712 3711->3712 3713 405def 36 API calls 3711->3713 3713->3708 3714 4025ea 3715 402603 3714->3715 3716 4025ef 3714->3716 3718 402b2c 17 API calls 3715->3718 3717 402b0a 17 API calls 3716->3717 3720 4025f8 3717->3720 3719 40260a lstrlenA 3718->3719 3719->3720 3721 40262c 3720->3721 3722 405c50 WriteFile 3720->3722 3722->3721 3121 40326b SetErrorMode GetVersion 3122 4032ac 3121->3122 3123 4032b2 3121->3123 3124 4063a8 5 API calls 3122->3124 3210 40633a GetSystemDirectoryA 3123->3210 3124->3123 3126 4032c8 lstrlenA 3126->3123 3127 4032d7 3126->3127 3213 4063a8 GetModuleHandleA 3127->3213 3130 4063a8 5 API calls 3131 4032e5 3130->3131 3132 4063a8 5 API calls 3131->3132 3133 4032f1 #17 OleInitialize SHGetFileInfoA 3132->3133 3219 406010 lstrcpynA 3133->3219 3136 40333d GetCommandLineA 3220 406010 lstrcpynA 3136->3220 3138 40334f 3139 4059d3 CharNextA 3138->3139 3140 403378 CharNextA 3139->3140 3152 403388 3140->3152 3141 403452 3142 403465 GetTempPathA 3141->3142 3221 40323a 3142->3221 3144 40347d 3146 403481 GetWindowsDirectoryA lstrcatA 3144->3146 3147 4034d7 DeleteFileA 3144->3147 3145 4059d3 CharNextA 3145->3152 3149 40323a 12 API calls 3146->3149 3231 402dc4 GetTickCount GetModuleFileNameA 3147->3231 3153 40349d 3149->3153 3150 403454 3323 406010 lstrcpynA 3150->3323 3151 4034eb 3155 403585 ExitProcess OleUninitialize 3151->3155 3158 403571 3151->3158 3163 4059d3 CharNextA 3151->3163 3152->3141 3152->3145 3152->3150 3153->3147 3154 4034a1 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3153->3154 3157 40323a 12 API calls 3154->3157 3159 4036b9 3155->3159 3160 40359b 3155->3160 3161 4034cf 3157->3161 3259 40382d 3158->3259 3165 4036c1 GetCurrentProcess OpenProcessToken 3159->3165 3166 40373b ExitProcess 3159->3166 3164 40572c MessageBoxIndirectA 3160->3164 3161->3147 3161->3155 3170 403506 3163->3170 3172 4035a9 ExitProcess 3164->3172 3167 40370c 3165->3167 3168 4036dc LookupPrivilegeValueA AdjustTokenPrivileges 3165->3168 3173 4063a8 5 API calls 3167->3173 3168->3167 3169 403581 3169->3155 3175 4035b1 3170->3175 3176 40354c 3170->3176 3174 403713 3173->3174 3177 403728 ExitWindowsEx 3174->3177 3181 403734 3174->3181 3316 405697 3175->3316 3179 405a96 18 API calls 3176->3179 3177->3166 3177->3181 3180 403557 3179->3180 3180->3155 3324 406010 lstrcpynA 3180->3324 3335 40140b 3181->3335 3183 4035d2 lstrcatA lstrcmpiA 3183->3155 3186 4035ee 3183->3186 3184 4035c7 lstrcatA 3184->3183 3188 4035f3 3186->3188 3189 4035fa 3186->3189 3326 4055fd CreateDirectoryA 3188->3326 3331 40567a CreateDirectoryA 3189->3331 3190 403566 3325 406010 lstrcpynA 3190->3325 3195 4035ff SetCurrentDirectoryA 3196 403619 3195->3196 3197 40360e 3195->3197 3319 406010 lstrcpynA 3196->3319 3334 406010 lstrcpynA 3197->3334 3200 406032 17 API calls 3201 403658 DeleteFileA 3200->3201 3202 403665 CopyFileA 3201->3202 3207 403627 3201->3207 3202->3207 3203 4036ad 3205 405def 36 API calls 3203->3205 3204 405def 36 API calls 3204->3207 3205->3169 3206 406032 17 API calls 3206->3207 3207->3200 3207->3203 3207->3204 3207->3206 3209 403699 CloseHandle 3207->3209 3320 4056af CreateProcessA 3207->3320 3209->3207 3211 40635c wsprintfA LoadLibraryExA 3210->3211 3211->3126 3214 4063c4 3213->3214 3215 4063ce GetProcAddress 3213->3215 3216 40633a 3 API calls 3214->3216 3218 4032de 3215->3218 3217 4063ca 3216->3217 3217->3215 3217->3218 3218->3130 3219->3136 3220->3138 3222 40627a 5 API calls 3221->3222 3224 403246 3222->3224 3223 403250 3223->3144 3224->3223 3225 4059a8 3 API calls 3224->3225 3226 403258 3225->3226 3227 40567a 2 API calls 3226->3227 3228 40325e 3227->3228 3229 405bd8 2 API calls 3228->3229 3230 403269 3229->3230 3230->3144 3338 405ba9 GetFileAttributesA CreateFileA 3231->3338 3233 402e04 3258 402e14 3233->3258 3339 406010 lstrcpynA 3233->3339 3235 402e2a 3236 4059ef 2 API calls 3235->3236 3237 402e30 3236->3237 3340 406010 lstrcpynA 3237->3340 3239 402e3b GetFileSize 3240 402f35 3239->3240 3252 402e52 3239->3252 3341 402d60 3240->3341 3242 402f3e 3244 402f6e GlobalAlloc 3242->3244 3242->3258 3353 403223 SetFilePointer 3242->3353 3243 40320d ReadFile 3243->3252 3352 403223 SetFilePointer 3244->3352 3246 402fa1 3250 402d60 6 API calls 3246->3250 3248 402f57 3251 40320d ReadFile 3248->3251 3249 402f89 3253 402ffb 31 API calls 3249->3253 3250->3258 3254 402f62 3251->3254 3252->3240 3252->3243 3252->3246 3255 402d60 6 API calls 3252->3255 3252->3258 3256 402f95 3253->3256 3254->3244 3254->3258 3255->3252 3256->3256 3257 402fd2 SetFilePointer 3256->3257 3256->3258 3257->3258 3258->3151 3260 4063a8 5 API calls 3259->3260 3261 403841 3260->3261 3262 403847 3261->3262 3263 403859 3261->3263 3366 405f6e wsprintfA 3262->3366 3264 405ef7 3 API calls 3263->3264 3265 403884 3264->3265 3267 4038a2 lstrcatA 3265->3267 3269 405ef7 3 API calls 3265->3269 3268 403857 3267->3268 3358 403af2 3268->3358 3269->3267 3272 405a96 18 API calls 3273 4038d4 3272->3273 3274 40395d 3273->3274 3277 405ef7 3 API calls 3273->3277 3275 405a96 18 API calls 3274->3275 3276 403963 3275->3276 3279 403973 LoadImageA 3276->3279 3280 406032 17 API calls 3276->3280 3278 403900 3277->3278 3278->3274 3283 40391c lstrlenA 3278->3283 3286 4059d3 CharNextA 3278->3286 3281 403a19 3279->3281 3282 40399a RegisterClassA 3279->3282 3280->3279 3285 40140b 2 API calls 3281->3285 3284 4039d0 SystemParametersInfoA CreateWindowExA 3282->3284 3314 403a23 3282->3314 3287 403950 3283->3287 3288 40392a lstrcmpiA 3283->3288 3284->3281 3289 403a1f 3285->3289 3290 40391a 3286->3290 3292 4059a8 3 API calls 3287->3292 3288->3287 3291 40393a GetFileAttributesA 3288->3291 3294 403af2 18 API calls 3289->3294 3289->3314 3290->3283 3293 403946 3291->3293 3295 403956 3292->3295 3293->3287 3296 4059ef 2 API calls 3293->3296 3297 403a30 3294->3297 3367 406010 lstrcpynA 3295->3367 3296->3287 3299 403a3c ShowWindow 3297->3299 3300 403abf 3297->3300 3302 40633a 3 API calls 3299->3302 3368 405209 OleInitialize 3300->3368 3303 403a54 3302->3303 3305 403a62 GetClassInfoA 3303->3305 3308 40633a 3 API calls 3303->3308 3304 403ac5 3306 403ae1 3304->3306 3307 403ac9 3304->3307 3310 403a76 GetClassInfoA RegisterClassA 3305->3310 3311 403a8c DialogBoxParamA 3305->3311 3309 40140b 2 API calls 3306->3309 3313 40140b 2 API calls 3307->3313 3307->3314 3308->3305 3309->3314 3310->3311 3312 40140b 2 API calls 3311->3312 3315 403ab4 3312->3315 3313->3314 3314->3169 3315->3314 3317 4063a8 5 API calls 3316->3317 3318 4035b6 lstrcatA 3317->3318 3318->3183 3318->3184 3319->3207 3321 4056e2 CloseHandle 3320->3321 3322 4056ee 3320->3322 3321->3322 3322->3207 3323->3142 3324->3190 3325->3158 3327 4035f8 3326->3327 3328 40564e GetLastError 3326->3328 3327->3195 3328->3327 3329 40565d SetFileSecurityA 3328->3329 3329->3327 3330 405673 GetLastError 3329->3330 3330->3327 3332 40568a 3331->3332 3333 40568e GetLastError 3331->3333 3332->3195 3333->3332 3334->3196 3336 401389 2 API calls 3335->3336 3337 401420 3336->3337 3337->3166 3338->3233 3339->3235 3340->3239 3342 402d81 3341->3342 3343 402d69 3341->3343 3346 402d91 GetTickCount 3342->3346 3347 402d89 3342->3347 3344 402d72 DestroyWindow 3343->3344 3345 402d79 3343->3345 3344->3345 3345->3242 3349 402dc2 3346->3349 3350 402d9f CreateDialogParamA ShowWindow 3346->3350 3354 4063e4 3347->3354 3349->3242 3350->3349 3352->3249 3353->3248 3355 406401 PeekMessageA 3354->3355 3356 402d8f 3355->3356 3357 4063f7 DispatchMessageA 3355->3357 3356->3242 3357->3355 3359 403b06 3358->3359 3375 405f6e wsprintfA 3359->3375 3361 403b77 3376 403bab 3361->3376 3363 4038b2 3363->3272 3364 403b7c 3364->3363 3365 406032 17 API calls 3364->3365 3365->3364 3366->3268 3367->3274 3379 4040ea 3368->3379 3370 40522c 3374 405253 3370->3374 3382 401389 3370->3382 3371 4040ea SendMessageA 3372 405265 OleUninitialize 3371->3372 3372->3304 3374->3371 3375->3361 3377 406032 17 API calls 3376->3377 3378 403bb9 SetWindowTextA 3377->3378 3378->3364 3380 404102 3379->3380 3381 4040f3 SendMessageA 3379->3381 3380->3370 3381->3380 3384 401390 3382->3384 3383 4013fe 3383->3370 3384->3383 3385 4013cb MulDiv SendMessageA 3384->3385 3385->3384 3723 4037eb 3724 4037f6 3723->3724 3725 4037fa 3724->3725 3726 4037fd GlobalAlloc 3724->3726 3726->3725 3727 4019ed 3728 402b2c 17 API calls 3727->3728 3729 4019f4 3728->3729 3730 402b2c 17 API calls 3729->3730 3731 4019fd 3730->3731 3732 401a04 lstrcmpiA 3731->3732 3733 401a16 lstrcmpA 3731->3733 3734 401a0a 3732->3734 3733->3734 3735 40156f 3736 401586 3735->3736 3737 40157f ShowWindow 3735->3737 3738 401594 ShowWindow 3736->3738 3739 4029b8 3736->3739 3737->3736 3738->3739 3740 4026ef 3741 4026f6 3740->3741 3744 402965 3740->3744 3742 402b0a 17 API calls 3741->3742 3743 4026fd 3742->3743 3745 40270c SetFilePointer 3743->3745 3745->3744 3746 40271c 3745->3746 3748 405f6e wsprintfA 3746->3748 3748->3744 3749 4014f4 SetForegroundWindow 3750 4029b8 3749->3750 3751 405275 3752 405420 3751->3752 3753 405297 GetDlgItem GetDlgItem GetDlgItem 3751->3753 3755 405428 GetDlgItem CreateThread CloseHandle 3752->3755 3758 405450 3752->3758 3796 4040d3 SendMessageA 3753->3796 3755->3758 3756 405307 3765 40530e GetClientRect GetSystemMetrics SendMessageA SendMessageA 3756->3765 3757 40547e 3759 4054d9 3757->3759 3762 4054b2 ShowWindow 3757->3762 3763 40548e 3757->3763 3758->3757 3760 405466 ShowWindow ShowWindow 3758->3760 3761 40549f 3758->3761 3759->3761 3773 4054e6 SendMessageA 3759->3773 3798 4040d3 SendMessageA 3760->3798 3764 404105 8 API calls 3761->3764 3769 4054d2 3762->3769 3770 4054c4 3762->3770 3767 404077 SendMessageA 3763->3767 3768 4054ab 3764->3768 3771 405360 SendMessageA SendMessageA 3765->3771 3772 40537c 3765->3772 3767->3761 3775 404077 SendMessageA 3769->3775 3774 405137 24 API calls 3770->3774 3771->3772 3776 405381 SendMessageA 3772->3776 3777 40538f 3772->3777 3773->3768 3778 4054ff CreatePopupMenu 3773->3778 3774->3769 3775->3759 3776->3777 3779 40409e 18 API calls 3777->3779 3780 406032 17 API calls 3778->3780 3782 40539f 3779->3782 3781 40550f AppendMenuA 3780->3781 3783 405540 TrackPopupMenu 3781->3783 3784 40552d GetWindowRect 3781->3784 3785 4053a8 ShowWindow 3782->3785 3786 4053dc GetDlgItem SendMessageA 3782->3786 3783->3768 3787 40555c 3783->3787 3784->3783 3788 4053cb 3785->3788 3789 4053be ShowWindow 3785->3789 3786->3768 3790 405403 SendMessageA SendMessageA 3786->3790 3791 40557b SendMessageA 3787->3791 3797 4040d3 SendMessageA 3788->3797 3789->3788 3790->3768 3791->3791 3792 405598 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3791->3792 3794 4055ba SendMessageA 3792->3794 3794->3794 3795 4055dc GlobalUnlock SetClipboardData CloseClipboard 3794->3795 3795->3768 3796->3756 3797->3786 3798->3757 3799 401cfb 3800 402b0a 17 API calls 3799->3800 3801 401d02 3800->3801 3802 402b0a 17 API calls 3801->3802 3803 401d0e GetDlgItem 3802->3803 3804 4025e4 3803->3804 3805 4018fd 3806 401934 3805->3806 3807 402b2c 17 API calls 3806->3807 3808 401939 3807->3808 3809 4057d8 67 API calls 3808->3809 3810 401942 3809->3810 3811 401dff GetDC 3812 402b0a 17 API calls 3811->3812 3813 401e11 GetDeviceCaps MulDiv ReleaseDC 3812->3813 3814 402b0a 17 API calls 3813->3814 3815 401e42 3814->3815 3816 406032 17 API calls 3815->3816 3817 401e7f CreateFontIndirectA 3816->3817 3818 4025e4 3817->3818 3819 401000 3820 401037 BeginPaint GetClientRect 3819->3820 3821 40100c DefWindowProcA 3819->3821 3823 4010f3 3820->3823 3824 401179 3821->3824 3825 401073 CreateBrushIndirect FillRect DeleteObject 3823->3825 3826 4010fc 3823->3826 3825->3823 3827 401102 CreateFontIndirectA 3826->3827 3828 401167 EndPaint 3826->3828 3827->3828 3829 401112 6 API calls 3827->3829 3828->3824 3829->3828 3830 401900 3831 402b2c 17 API calls 3830->3831 3832 401907 3831->3832 3833 40572c MessageBoxIndirectA 3832->3833 3834 401910 3833->3834 3835 404881 3836 404891 3835->3836 3837 4048ad 3835->3837 3846 405710 GetDlgItemTextA 3836->3846 3839 4048e0 3837->3839 3840 4048b3 SHGetPathFromIDListA 3837->3840 3842 4048c3 3840->3842 3845 4048ca SendMessageA 3840->3845 3841 40489e SendMessageA 3841->3837 3843 40140b 2 API calls 3842->3843 3843->3845 3845->3839 3846->3841 3847 401502 3848 40150a 3847->3848 3850 40151d 3847->3850 3849 402b0a 17 API calls 3848->3849 3849->3850 3079 401389 3081 401390 3079->3081 3080 4013fe 3081->3080 3082 4013cb MulDiv SendMessageA 3081->3082 3082->3081 3851 404209 3852 40421f 3851->3852 3860 40432b 3851->3860 3854 40409e 18 API calls 3852->3854 3853 40439a 3855 404464 3853->3855 3856 4043a4 GetDlgItem 3853->3856 3857 404275 3854->3857 3862 404105 8 API calls 3855->3862 3858 404422 3856->3858 3859 4043ba 3856->3859 3861 40409e 18 API calls 3857->3861 3858->3855 3866 404434 3858->3866 3859->3858 3865 4043e0 SendMessageA LoadCursorA SetCursor 3859->3865 3860->3853 3860->3855 3863 40436f GetDlgItem SendMessageA 3860->3863 3864 404282 CheckDlgButton 3861->3864 3877 40445f 3862->3877 3884 4040c0 EnableWindow 3863->3884 3882 4040c0 EnableWindow 3864->3882 3888 4044ad 3865->3888 3871 40443a SendMessageA 3866->3871 3872 40444b 3866->3872 3868 404395 3885 404489 3868->3885 3871->3872 3876 404451 SendMessageA 3872->3876 3872->3877 3874 4042a0 GetDlgItem 3883 4040d3 SendMessageA 3874->3883 3876->3877 3879 4042b6 SendMessageA 3880 4042d4 GetSysColor 3879->3880 3881 4042dd SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3879->3881 3880->3881 3881->3877 3882->3874 3883->3879 3884->3868 3886 404497 3885->3886 3887 40449c SendMessageA 3885->3887 3886->3887 3887->3853 3891 4056f2 ShellExecuteExA 3888->3891 3890 404413 LoadCursorA SetCursor 3890->3858 3891->3890 3892 401c0a 3893 402b0a 17 API calls 3892->3893 3894 401c11 3893->3894 3895 402b0a 17 API calls 3894->3895 3896 401c1e 3895->3896 3897 401c33 3896->3897 3898 402b2c 17 API calls 3896->3898 3899 402b2c 17 API calls 3897->3899 3903 401c43 3897->3903 3898->3897 3899->3903 3900 401c9a 3902 402b2c 17 API calls 3900->3902 3901 401c4e 3904 402b0a 17 API calls 3901->3904 3905 401c9f 3902->3905 3903->3900 3903->3901 3906 401c53 3904->3906 3907 402b2c 17 API calls 3905->3907 3908 402b0a 17 API calls 3906->3908 3909 401ca8 FindWindowExA 3907->3909 3910 401c5f 3908->3910 3913 401cc6 3909->3913 3911 401c8a SendMessageA 3910->3911 3912 401c6c SendMessageTimeoutA 3910->3912 3911->3913 3912->3913 3914 401e8f 3915 402b0a 17 API calls 3914->3915 3916 401e95 3915->3916 3917 402b0a 17 API calls 3916->3917 3918 401ea1 3917->3918 3919 401eb8 EnableWindow 3918->3919 3920 401ead ShowWindow 3918->3920 3921 4029b8 3919->3921 3920->3921 3922 401490 3923 405137 24 API calls 3922->3923 3924 401497 3923->3924 3925 402993 SendMessageA 3926 4029ad InvalidateRect 3925->3926 3927 4029b8 3925->3927 3926->3927 3928 401f98 3929 402b2c 17 API calls 3928->3929 3930 401f9f 3929->3930 3931 406313 2 API calls 3930->3931 3932 401fa5 3931->3932 3934 401fb7 3932->3934 3935 405f6e wsprintfA 3932->3935 3935->3934 3406 40159d 3407 402b2c 17 API calls 3406->3407 3408 4015a4 SetFileAttributesA 3407->3408 3409 4015b6 3408->3409 3936 40641d WaitForSingleObject 3937 406437 3936->3937 3938 406449 GetExitCodeProcess 3937->3938 3939 4063e4 2 API calls 3937->3939 3940 40643e WaitForSingleObject 3939->3940 3940->3937 3941 40149d 3942 4014ab PostQuitMessage 3941->3942 3943 40234e 3941->3943 3942->3943 3944 401a1e 3945 402b2c 17 API calls 3944->3945 3946 401a27 ExpandEnvironmentStringsA 3945->3946 3947 401a3b 3946->3947 3949 401a4e 3946->3949 3948 401a40 lstrcmpA 3947->3948 3947->3949 3948->3949 3955 40171f 3956 402b2c 17 API calls 3955->3956 3957 401726 SearchPathA 3956->3957 3958 401741 3957->3958 3959 401d20 3960 402b0a 17 API calls 3959->3960 3961 401d2e SetWindowLongA 3960->3961 3962 4029b8 3961->3962 3963 402721 3964 402727 3963->3964 3965 40272f FindClose 3964->3965 3966 4029b8 3964->3966 3965->3966 3967 404aa3 GetDlgItem GetDlgItem 3968 404af9 7 API calls 3967->3968 3980 404d20 3967->3980 3969 404ba1 DeleteObject 3968->3969 3970 404b95 SendMessageA 3968->3970 3971 404bac 3969->3971 3970->3969 3972 404be3 3971->3972 3975 406032 17 API calls 3971->3975 3973 40409e 18 API calls 3972->3973 3976 404bf7 3973->3976 3974 404eae 3978 404ec0 3974->3978 3979 404eb8 SendMessageA 3974->3979 3981 404bc5 SendMessageA SendMessageA 3975->3981 3982 40409e 18 API calls 3976->3982 3977 404e02 3977->3974 3983 404e5b SendMessageA 3977->3983 4010 404d13 3977->4010 3986 404ee9 3978->3986 3990 404ed2 ImageList_Destroy 3978->3990 3991 404ed9 3978->3991 3979->3978 3980->3977 4006 404d8f 3980->4006 4020 4049f1 SendMessageA 3980->4020 3981->3971 3996 404c08 3982->3996 3988 404e70 SendMessageA 3983->3988 3983->4010 3984 404105 8 API calls 3989 4050a4 3984->3989 3985 404df4 SendMessageA 3985->3977 3995 405058 3986->3995 4014 404f24 3986->4014 4025 404a71 3986->4025 3994 404e83 3988->3994 3990->3991 3991->3986 3992 404ee2 GlobalFree 3991->3992 3992->3986 3993 404ce2 GetWindowLongA SetWindowLongA 3998 404cfb 3993->3998 4004 404e94 SendMessageA 3994->4004 3997 40506a ShowWindow GetDlgItem ShowWindow 3995->3997 3995->4010 3996->3993 4003 404c5a SendMessageA 3996->4003 4005 404cdd 3996->4005 4007 404c98 SendMessageA 3996->4007 4008 404cac SendMessageA 3996->4008 3997->4010 3999 404d00 ShowWindow 3998->3999 4000 404d18 3998->4000 4018 4040d3 SendMessageA 3999->4018 4019 4040d3 SendMessageA 4000->4019 4003->3996 4004->3974 4005->3993 4005->3998 4006->3977 4006->3985 4007->3996 4008->3996 4010->3984 4011 40502e InvalidateRect 4011->3995 4012 405044 4011->4012 4034 4049ac 4012->4034 4013 404f52 SendMessageA 4017 404f68 4013->4017 4014->4013 4014->4017 4016 404fdc SendMessageA SendMessageA 4016->4017 4017->4011 4017->4016 4018->4010 4019->3980 4021 404a50 SendMessageA 4020->4021 4022 404a14 GetMessagePos ScreenToClient SendMessageA 4020->4022 4023 404a48 4021->4023 4022->4023 4024 404a4d 4022->4024 4023->4006 4024->4021 4037 406010 lstrcpynA 4025->4037 4027 404a84 4038 405f6e wsprintfA 4027->4038 4029 404a8e 4030 40140b 2 API calls 4029->4030 4031 404a97 4030->4031 4039 406010 lstrcpynA 4031->4039 4033 404a9e 4033->4014 4040 4048e7 4034->4040 4036 4049c1 4036->3995 4037->4027 4038->4029 4039->4033 4041 4048fd 4040->4041 4042 406032 17 API calls 4041->4042 4043 404961 4042->4043 4044 406032 17 API calls 4043->4044 4045 40496c 4044->4045 4046 406032 17 API calls 4045->4046 4047 404982 lstrlenA wsprintfA SetDlgItemTextA 4046->4047 4047->4036 4048 4027a3 4049 402b2c 17 API calls 4048->4049 4050 4027b1 4049->4050 4051 4027c7 4050->4051 4052 402b2c 17 API calls 4050->4052 4053 405b84 2 API calls 4051->4053 4052->4051 4054 4027cd 4053->4054 4076 405ba9 GetFileAttributesA CreateFileA 4054->4076 4056 4027da 4057 4027e6 GlobalAlloc 4056->4057 4058 40287d 4056->4058 4059 402874 CloseHandle 4057->4059 4060 4027ff 4057->4060 4061 402885 DeleteFileA 4058->4061 4062 402898 4058->4062 4059->4058 4077 403223 SetFilePointer 4060->4077 4061->4062 4064 402805 4065 40320d ReadFile 4064->4065 4066 40280e GlobalAlloc 4065->4066 4067 402852 4066->4067 4068 40281e 4066->4068 4070 405c50 WriteFile 4067->4070 4069 402ffb 31 API calls 4068->4069 4071 40282b 4069->4071 4072 40285e GlobalFree 4070->4072 4074 402849 GlobalFree 4071->4074 4073 402ffb 31 API calls 4072->4073 4075 402871 4073->4075 4074->4067 4075->4059 4076->4056 4077->4064 4078 4023a7 4079 402b2c 17 API calls 4078->4079 4080 4023b8 4079->4080 4081 402b2c 17 API calls 4080->4081 4082 4023c1 4081->4082 4083 402b2c 17 API calls 4082->4083 4084 4023cb GetPrivateProfileStringA 4083->4084 4085 4050ab 4086 4050bb 4085->4086 4087 4050cf 4085->4087 4089 4050c1 4086->4089 4090 405118 4086->4090 4088 4050d7 IsWindowVisible 4087->4088 4092 4050ee 4087->4092 4088->4090 4091 4050e4 4088->4091 4094 4040ea SendMessageA 4089->4094 4093 40511d CallWindowProcA 4090->4093 4095 4049f1 5 API calls 4091->4095 4092->4093 4097 404a71 4 API calls 4092->4097 4096 4050cb 4093->4096 4094->4096 4095->4092 4097->4090 4098 40292c 4099 402b0a 17 API calls 4098->4099 4100 402932 4099->4100 4101 402944 4100->4101 4102 402967 4100->4102 4104 402783 4100->4104 4101->4104 4106 405f6e wsprintfA 4101->4106 4103 406032 17 API calls 4102->4103 4102->4104 4103->4104 4106->4104 4107 404530 4108 40455c 4107->4108 4109 40456d 4107->4109 4168 405710 GetDlgItemTextA 4108->4168 4111 404579 GetDlgItem 4109->4111 4118 4045d8 4109->4118 4114 40458d 4111->4114 4112 4046bc 4117 404866 4112->4117 4170 405710 GetDlgItemTextA 4112->4170 4113 404567 4115 40627a 5 API calls 4113->4115 4116 4045a1 SetWindowTextA 4114->4116 4120 405a41 4 API calls 4114->4120 4115->4109 4121 40409e 18 API calls 4116->4121 4124 404105 8 API calls 4117->4124 4118->4112 4118->4117 4122 406032 17 API calls 4118->4122 4126 404597 4120->4126 4127 4045bd 4121->4127 4128 40464c SHBrowseForFolderA 4122->4128 4123 4046ec 4129 405a96 18 API calls 4123->4129 4125 40487a 4124->4125 4126->4116 4133 4059a8 3 API calls 4126->4133 4130 40409e 18 API calls 4127->4130 4128->4112 4131 404664 CoTaskMemFree 4128->4131 4132 4046f2 4129->4132 4134 4045cb 4130->4134 4135 4059a8 3 API calls 4131->4135 4171 406010 lstrcpynA 4132->4171 4133->4116 4169 4040d3 SendMessageA 4134->4169 4137 404671 4135->4137 4140 4046a8 SetDlgItemTextA 4137->4140 4144 406032 17 API calls 4137->4144 4139 4045d1 4142 4063a8 5 API calls 4139->4142 4140->4112 4141 404709 4143 4063a8 5 API calls 4141->4143 4142->4118 4150 404710 4143->4150 4145 404690 lstrcmpiA 4144->4145 4145->4140 4148 4046a1 lstrcatA 4145->4148 4146 40474c 4172 406010 lstrcpynA 4146->4172 4148->4140 4149 404753 4151 405a41 4 API calls 4149->4151 4150->4146 4154 4059ef 2 API calls 4150->4154 4156 4047a4 4150->4156 4152 404759 GetDiskFreeSpaceA 4151->4152 4155 40477d MulDiv 4152->4155 4152->4156 4154->4150 4155->4156 4157 404815 4156->4157 4159 4049ac 20 API calls 4156->4159 4158 404838 4157->4158 4160 40140b 2 API calls 4157->4160 4173 4040c0 EnableWindow 4158->4173 4161 404802 4159->4161 4160->4158 4163 404817 SetDlgItemTextA 4161->4163 4164 404807 4161->4164 4163->4157 4166 4048e7 20 API calls 4164->4166 4165 404854 4165->4117 4167 404489 SendMessageA 4165->4167 4166->4157 4167->4117 4168->4113 4169->4139 4170->4123 4171->4141 4172->4149 4173->4165 4174 402631 4175 402b0a 17 API calls 4174->4175 4176 40263b 4175->4176 4177 405c21 ReadFile 4176->4177 4178 4026ab 4176->4178 4179 4026bb 4176->4179 4182 4026a9 4176->4182 4177->4176 4183 405f6e wsprintfA 4178->4183 4181 4026d1 SetFilePointer 4179->4181 4179->4182 4181->4182 4183->4182 2801 401932 2802 401934 2801->2802 2807 402b2c 2802->2807 2808 402b38 2807->2808 2850 406032 2808->2850 2811 401939 2813 4057d8 2811->2813 2892 405a96 2813->2892 2816 405800 DeleteFileA 2823 401942 2816->2823 2817 405817 2820 405945 2817->2820 2906 406010 lstrcpynA 2817->2906 2819 40583d 2821 405850 2819->2821 2822 405843 lstrcatA 2819->2822 2820->2823 2935 406313 FindFirstFileA 2820->2935 2907 4059ef lstrlenA 2821->2907 2824 405856 2822->2824 2827 405864 lstrcatA 2824->2827 2829 40586f lstrlenA FindFirstFileA 2824->2829 2827->2829 2829->2820 2848 405893 2829->2848 2832 4059d3 CharNextA 2832->2848 2833 405790 5 API calls 2834 40597f 2833->2834 2835 405983 2834->2835 2836 405999 2834->2836 2835->2823 2840 405137 24 API calls 2835->2840 2838 405137 24 API calls 2836->2838 2838->2823 2839 405924 FindNextFileA 2841 40593c FindClose 2839->2841 2839->2848 2842 405990 2840->2842 2841->2820 2843 405def 36 API calls 2842->2843 2843->2823 2845 4057d8 60 API calls 2845->2848 2846 405137 24 API calls 2846->2839 2848->2832 2848->2839 2848->2845 2848->2846 2911 406010 lstrcpynA 2848->2911 2912 405790 2848->2912 2920 405137 2848->2920 2931 405def MoveFileExA 2848->2931 2858 40603f 2850->2858 2851 406261 2852 402b59 2851->2852 2883 406010 lstrcpynA 2851->2883 2852->2811 2867 40627a 2852->2867 2854 40623b lstrlenA 2854->2858 2855 406032 10 API calls 2855->2854 2858->2851 2858->2854 2858->2855 2860 406157 GetSystemDirectoryA 2858->2860 2861 40616a GetWindowsDirectoryA 2858->2861 2862 40627a 5 API calls 2858->2862 2863 406032 10 API calls 2858->2863 2864 4061e4 lstrcatA 2858->2864 2865 40619e SHGetSpecialFolderLocation 2858->2865 2876 405ef7 2858->2876 2881 405f6e wsprintfA 2858->2881 2882 406010 lstrcpynA 2858->2882 2860->2858 2861->2858 2862->2858 2863->2858 2864->2858 2865->2858 2866 4061b6 SHGetPathFromIDListA CoTaskMemFree 2865->2866 2866->2858 2874 406286 2867->2874 2868 4062f2 CharPrevA 2870 4062ee 2868->2870 2869 4062e3 CharNextA 2869->2870 2869->2874 2870->2868 2871 40630d 2870->2871 2871->2811 2873 4062d1 CharNextA 2873->2874 2874->2869 2874->2870 2874->2873 2875 4062de CharNextA 2874->2875 2888 4059d3 2874->2888 2875->2869 2884 405e96 2876->2884 2879 405f5a 2879->2858 2880 405f2b RegQueryValueExA RegCloseKey 2880->2879 2881->2858 2882->2858 2883->2852 2885 405ea5 2884->2885 2886 405ea9 2885->2886 2887 405eae RegOpenKeyExA 2885->2887 2886->2879 2886->2880 2887->2886 2889 4059d9 2888->2889 2890 4059ec 2889->2890 2891 4059df CharNextA 2889->2891 2890->2874 2891->2889 2941 406010 lstrcpynA 2892->2941 2894 405aa7 2942 405a41 CharNextA CharNextA 2894->2942 2897 4057f8 2897->2816 2897->2817 2898 40627a 5 API calls 2904 405abd 2898->2904 2899 405ae8 lstrlenA 2900 405af3 2899->2900 2899->2904 2901 4059a8 3 API calls 2900->2901 2903 405af8 GetFileAttributesA 2901->2903 2902 406313 2 API calls 2902->2904 2903->2897 2904->2897 2904->2899 2904->2902 2905 4059ef 2 API calls 2904->2905 2905->2899 2906->2819 2908 4059fc 2907->2908 2909 405a01 CharPrevA 2908->2909 2910 405a0d 2908->2910 2909->2908 2909->2910 2910->2824 2911->2848 2948 405b84 GetFileAttributesA 2912->2948 2915 4057bd 2915->2848 2916 4057b3 DeleteFileA 2918 4057b9 2916->2918 2917 4057ab RemoveDirectoryA 2917->2918 2918->2915 2919 4057c9 SetFileAttributesA 2918->2919 2919->2915 2921 405152 2920->2921 2930 4051f5 2920->2930 2922 40516f lstrlenA 2921->2922 2925 406032 17 API calls 2921->2925 2923 405198 2922->2923 2924 40517d lstrlenA 2922->2924 2927 4051ab 2923->2927 2928 40519e SetWindowTextA 2923->2928 2926 40518f lstrcatA 2924->2926 2924->2930 2925->2922 2926->2923 2929 4051b1 SendMessageA SendMessageA SendMessageA 2927->2929 2927->2930 2928->2927 2929->2930 2930->2848 2932 405e03 2931->2932 2934 405e10 2931->2934 2951 405c7f 2932->2951 2934->2848 2936 405969 2935->2936 2937 406329 FindClose 2935->2937 2936->2823 2938 4059a8 lstrlenA CharPrevA 2936->2938 2937->2936 2939 4059c2 lstrcatA 2938->2939 2940 405973 2938->2940 2939->2940 2940->2833 2941->2894 2943 405a5c 2942->2943 2946 405a6c 2942->2946 2945 405a67 CharNextA 2943->2945 2943->2946 2944 405a8c 2944->2897 2944->2898 2945->2944 2946->2944 2947 4059d3 CharNextA 2946->2947 2947->2946 2949 40579c 2948->2949 2950 405b96 SetFileAttributesA 2948->2950 2949->2915 2949->2916 2949->2917 2950->2949 2952 405ca5 2951->2952 2953 405ccb GetShortPathNameA 2951->2953 2978 405ba9 GetFileAttributesA CreateFileA 2952->2978 2954 405ce0 2953->2954 2955 405dea 2953->2955 2954->2955 2957 405ce8 wsprintfA 2954->2957 2955->2934 2960 406032 17 API calls 2957->2960 2958 405caf CloseHandle GetShortPathNameA 2958->2955 2959 405cc3 2958->2959 2959->2953 2959->2955 2961 405d10 2960->2961 2979 405ba9 GetFileAttributesA CreateFileA 2961->2979 2963 405d1d 2963->2955 2964 405d2c GetFileSize GlobalAlloc 2963->2964 2965 405de3 CloseHandle 2964->2965 2966 405d4e 2964->2966 2965->2955 2980 405c21 ReadFile 2966->2980 2971 405d81 2974 405b0e 4 API calls 2971->2974 2972 405d6d lstrcpyA 2973 405d8f 2972->2973 2975 405dc6 SetFilePointer 2973->2975 2974->2973 2987 405c50 WriteFile 2975->2987 2978->2958 2979->2963 2981 405c3f 2980->2981 2981->2965 2982 405b0e lstrlenA 2981->2982 2983 405b4f lstrlenA 2982->2983 2984 405b28 lstrcmpiA 2983->2984 2986 405b57 2983->2986 2985 405b46 CharNextA 2984->2985 2984->2986 2985->2983 2986->2971 2986->2972 2988 405c6e GlobalFree 2987->2988 2988->2965 4184 4022b2 4185 402b2c 17 API calls 4184->4185 4186 4022b8 4185->4186 4187 402b2c 17 API calls 4186->4187 4188 4022c1 4187->4188 4189 402b2c 17 API calls 4188->4189 4190 4022ca 4189->4190 4191 406313 2 API calls 4190->4191 4192 4022d3 4191->4192 4193 4022e4 lstrlenA lstrlenA 4192->4193 4194 4022d7 4192->4194 4196 405137 24 API calls 4193->4196 4195 405137 24 API calls 4194->4195 4198 4022df 4194->4198 4195->4198 4197 402320 SHFileOperationA 4196->4197 4197->4194 4197->4198 4199 402334 4200 40234e 4199->4200 4201 40233b 4199->4201 4202 406032 17 API calls 4201->4202 4203 402348 4202->4203 4204 40572c MessageBoxIndirectA 4203->4204 4204->4200 4205 4014b7 4206 4014bd 4205->4206 4207 401389 2 API calls 4206->4207 4208 4014c5 4207->4208 4209 402138 4210 402b2c 17 API calls 4209->4210 4211 40213f 4210->4211 4212 402b2c 17 API calls 4211->4212 4213 402149 4212->4213 4214 402b2c 17 API calls 4213->4214 4215 402153 4214->4215 4216 402b2c 17 API calls 4215->4216 4217 40215d 4216->4217 4218 402b2c 17 API calls 4217->4218 4219 402167 4218->4219 4220 4021a9 CoCreateInstance 4219->4220 4221 402b2c 17 API calls 4219->4221 4224 4021c8 4220->4224 4226 402273 4220->4226 4221->4220 4222 401423 24 API calls 4223 4022a9 4222->4223 4225 402253 MultiByteToWideChar 4224->4225 4224->4226 4225->4226 4226->4222 4226->4223 3386 4015bb 3387 402b2c 17 API calls 3386->3387 3388 4015c2 3387->3388 3389 405a41 4 API calls 3388->3389 3402 4015ca 3389->3402 3390 401624 3392 401629 3390->3392 3394 401652 3390->3394 3391 4059d3 CharNextA 3391->3402 3393 401423 24 API calls 3392->3393 3396 401630 3393->3396 3395 401423 24 API calls 3394->3395 3403 40164a 3395->3403 3405 406010 lstrcpynA 3396->3405 3397 40567a 2 API calls 3397->3402 3399 405697 5 API calls 3399->3402 3400 40163b SetCurrentDirectoryA 3400->3403 3401 40160c GetFileAttributesA 3401->3402 3402->3390 3402->3391 3402->3397 3402->3399 3402->3401 3404 4055fd 4 API calls 3402->3404 3404->3402 3405->3400 4227 40273b 4228 402741 4227->4228 4229 402745 FindNextFileA 4228->4229 4232 402757 4228->4232 4230 402796 4229->4230 4229->4232 4233 406010 lstrcpynA 4230->4233 4233->4232 4234 4016bb 4235 402b2c 17 API calls 4234->4235 4236 4016c1 GetFullPathNameA 4235->4236 4237 4016f9 4236->4237 4238 4016d8 4236->4238 4239 4029b8 4237->4239 4240 40170d GetShortPathNameA 4237->4240 4238->4237 4241 406313 2 API calls 4238->4241 4240->4239 4242 4016e9 4241->4242 4242->4237 4244 406010 lstrcpynA 4242->4244 4244->4237 3410 40243d 3411 402b2c 17 API calls 3410->3411 3412 40244f 3411->3412 3413 402b2c 17 API calls 3412->3413 3414 402459 3413->3414 3427 402bbc 3414->3427 3417 4029b8 3418 40248e 3420 40249a 3418->3420 3431 402b0a 3418->3431 3419 402b2c 17 API calls 3423 402487 lstrlenA 3419->3423 3422 4024b9 RegSetValueExA 3420->3422 3424 402ffb 31 API calls 3420->3424 3425 4024cf RegCloseKey 3422->3425 3423->3418 3424->3422 3425->3417 3428 402bd7 3427->3428 3434 405ec4 3428->3434 3432 406032 17 API calls 3431->3432 3433 402b1f 3432->3433 3433->3420 3435 405ed3 3434->3435 3436 402469 3435->3436 3437 405ede RegCreateKeyExA 3435->3437 3436->3417 3436->3418 3436->3419 3437->3436 4245 401b3f 4246 402b2c 17 API calls 4245->4246 4247 401b46 4246->4247 4248 402b0a 17 API calls 4247->4248 4249 401b4f wsprintfA 4248->4249 4250 4029b8 4249->4250

                                                                            Executed Functions

                                                                            Function 0040326B Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 40326b-4032aa SetErrorMode GetVersion 1 4032ac-4032b4 call 4063a8 0->1 2 4032bd 0->2 1->2 7 4032b6 1->7 4 4032c2-4032d5 call 40633a lstrlenA 2->4 9 4032d7-4032f3 call 4063a8 * 3 4->9 7->2 16 403304-403362 #17 OleInitialize SHGetFileInfoA call 406010 GetCommandLineA call 406010 9->16 17 4032f5-4032fb 9->17 24 403364-403369 16->24 25 40336e-403383 call 4059d3 CharNextA 16->25 17->16 21 4032fd 17->21 21->16 24->25 28 403448-40344c 25->28 29 403452 28->29 30 403388-40338b 28->30 33 403465-40347f GetTempPathA call 40323a 29->33 31 403393-40339b 30->31 32 40338d-403391 30->32 34 4033a3-4033a6 31->34 35 40339d-40339e 31->35 32->31 32->32 43 403481-40349f GetWindowsDirectoryA lstrcatA call 40323a 33->43 44 4034d7-4034f1 DeleteFileA call 402dc4 33->44 37 403438-403445 call 4059d3 34->37 38 4033ac-4033b0 34->38 35->34 37->28 53 403447 37->53 41 4033b2-4033b8 38->41 42 4033c8-4033f5 38->42 47 4033ba-4033bc 41->47 48 4033be 41->48 49 4033f7-4033fd 42->49 50 403408-403436 42->50 43->44 58 4034a1-4034d1 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40323a 43->58 59 403585-403595 ExitProcess OleUninitialize 44->59 60 4034f7-4034fd 44->60 47->42 47->48 48->42 55 403403 49->55 56 4033ff-403401 49->56 50->37 52 403454-403460 call 406010 50->52 52->33 53->28 55->50 56->50 56->55 58->44 58->59 65 4036b9-4036bf 59->65 66 40359b-4035ab call 40572c ExitProcess 59->66 63 403575-40357c call 40382d 60->63 64 4034ff-40350a call 4059d3 60->64 75 403581 63->75 81 403540-40354a 64->81 82 40350c-403535 64->82 71 4036c1-4036da GetCurrentProcess OpenProcessToken 65->71 72 40373b-403743 65->72 73 40370c-40371a call 4063a8 71->73 74 4036dc-403706 LookupPrivilegeValueA AdjustTokenPrivileges 71->74 77 403745 72->77 78 403749-40374d ExitProcess 72->78 87 403728-403732 ExitWindowsEx 73->87 88 40371c-403726 73->88 74->73 75->59 77->78 85 4035b1-4035c5 call 405697 lstrcatA 81->85 86 40354c-403559 call 405a96 81->86 84 403537-403539 82->84 84->81 89 40353b-40353e 84->89 95 4035d2-4035ec lstrcatA lstrcmpiA 85->95 96 4035c7-4035cd lstrcatA 85->96 86->59 97 40355b-403571 call 406010 * 2 86->97 87->72 93 403734-403736 call 40140b 87->93 88->87 88->93 89->81 89->84 93->72 95->59 100 4035ee-4035f1 95->100 96->95 97->63 102 4035f3-4035f8 call 4055fd 100->102 103 4035fa call 40567a 100->103 110 4035ff-40360c SetCurrentDirectoryA 102->110 103->110 111 403619-403641 call 406010 110->111 112 40360e-403614 call 406010 110->112 116 403647-403663 call 406032 DeleteFileA 111->116 112->111 119 4036a4-4036ab 116->119 120 403665-403675 CopyFileA 116->120 119->116 122 4036ad-4036b4 call 405def 119->122 120->119 121 403677-403690 call 405def call 406032 call 4056af 120->121 130 403695-403697 121->130 122->59 130->119 131 403699-4036a0 CloseHandle 130->131 131->119
                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE ref: 00403290
                                                                            • GetVersion.KERNEL32 ref: 00403296
                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032C9
                                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403305
                                                                            • OleInitialize.OLE32(00000000), ref: 0040330C
                                                                            • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403328
                                                                            • GetCommandLineA.KERNEL32(Windows Provisioning Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040333D
                                                                            • CharNextA.USER32(00000000,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,00000020,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,00000000,?,00000006,00000008,0000000A), ref: 00403379
                                                                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403476
                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403487
                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403493
                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004034A7
                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004034AF
                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004034C0
                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004034C8
                                                                            • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034DC
                                                                              • Part of subcall function 004063A8: GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                              • Part of subcall function 004063A8: GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                              • Part of subcall function 0040382D: lstrlenA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,?,?,?,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,00000000,C:\Program Files (x86)\Windows Provisioning,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410), ref: 0040391D
                                                                              • Part of subcall function 0040382D: lstrcmpiA.KERNEL32(?,.exe), ref: 00403930
                                                                              • Part of subcall function 0040382D: GetFileAttributesA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0), ref: 0040393B
                                                                              • Part of subcall function 0040382D: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Windows Provisioning), ref: 00403984
                                                                              • Part of subcall function 0040382D: RegisterClassA.USER32(0042EBA0), ref: 004039C1
                                                                            • ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 00403585
                                                                              • Part of subcall function 00403753: CloseHandle.KERNEL32(FFFFFFFF,0040358A,?,?,00000006,00000008,0000000A), ref: 0040375E
                                                                            • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040358A
                                                                            • ExitProcess.KERNEL32 ref: 004035AB
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004036C8
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004036CF
                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036E7
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403706
                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 0040372A
                                                                            • ExitProcess.KERNEL32 ref: 0040374D
                                                                              • Part of subcall function 0040572C: MessageBoxIndirectA.USER32(0040A218), ref: 00405787
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                            • String ID: "$"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$.tmp$1033$C:\Program Files (x86)\Windows Provisioning$C:\Program Files (x86)\Windows Provisioning$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Windows Provisioning$C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Windows Provisioning Setup$\Temp$~nsu
                                                                            • API String ID: 562314493-1040447263
                                                                            • Opcode ID: 4775c68527fbb917aecb0a7c801f737b56a4a891fa957fa25b7ad5f6c3460015
                                                                            • Instruction ID: c488d4947f624a60ea111d8e8e2b3f6be1d3d76fce8bfd42f4ae142e8cae794f
                                                                            • Opcode Fuzzy Hash: 4775c68527fbb917aecb0a7c801f737b56a4a891fa957fa25b7ad5f6c3460015
                                                                            • Instruction Fuzzy Hash: 9EC10570104741AAD7216F759D49B2F3EA8AF4570AF44443FF582B61E2CB7C8A198B2F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004057D8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 273 4057d8-4057fe call 405a96 276 405800-405812 DeleteFileA 273->276 277 405817-40581e 273->277 278 4059a1-4059a5 276->278 279 405820-405822 277->279 280 405831-405841 call 406010 277->280 281 405828-40582b 279->281 282 40594f-405954 279->282 286 405850-405851 call 4059ef 280->286 287 405843-40584e lstrcatA 280->287 281->280 281->282 282->278 285 405956-405959 282->285 288 405963-40596b call 406313 285->288 289 40595b-405961 285->289 290 405856-405859 286->290 287->290 288->278 297 40596d-405981 call 4059a8 call 405790 288->297 289->278 293 405864-40586a lstrcatA 290->293 294 40585b-405862 290->294 296 40586f-40588d lstrlenA FindFirstFileA 293->296 294->293 294->296 298 405893-4058aa call 4059d3 296->298 299 405945-405949 296->299 309 405983-405986 297->309 310 405999-40599c call 405137 297->310 307 4058b5-4058b8 298->307 308 4058ac-4058b0 298->308 299->282 302 40594b 299->302 302->282 312 4058ba-4058bf 307->312 313 4058cb-4058d9 call 406010 307->313 308->307 311 4058b2 308->311 309->289 315 405988-405997 call 405137 call 405def 309->315 310->278 311->307 317 4058c1-4058c3 312->317 318 405924-405936 FindNextFileA 312->318 323 4058f0-4058fb call 405790 313->323 324 4058db-4058e3 313->324 315->278 317->313 319 4058c5-4058c9 317->319 318->298 322 40593c-40593f FindClose 318->322 319->313 319->318 322->299 333 40591c-40591f call 405137 323->333 334 4058fd-405900 323->334 324->318 326 4058e5-4058ee call 4057d8 324->326 326->318 333->318 336 405902-405912 call 405137 call 405def 334->336 337 405914-40591a 334->337 336->318 337->318
                                                                            APIs
                                                                            • DeleteFileA.KERNELBASE(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405801
                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405849
                                                                            • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
                                                                            • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405870
                                                                            • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405881
                                                                            • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040592E
                                                                            • FindClose.KERNEL32(00000000), ref: 0040593F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsmE645.tmp\*.*$\*.*
                                                                            • API String ID: 2035342205-4050246052
                                                                            • Opcode ID: 1028c0a1378fe67f5cfd0213f93084011618ac7fb180f8f6d485c044da562b3f
                                                                            • Instruction ID: b1b2ef924c21ee39ce724be99c412cdb4e11523259fae964be374fa5306f8f12
                                                                            • Opcode Fuzzy Hash: 1028c0a1378fe67f5cfd0213f93084011618ac7fb180f8f6d485c044da562b3f
                                                                            • Instruction Fuzzy Hash: 9A51A171800A04EADB216B618C45BBF7AB8DF42728F14807BF845B51D1C73C4982DE6A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNELBASE(75923410,0042C0C0,C:\,00405AD9,C:\,C:\,00000000,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 0040631E
                                                                            • FindClose.KERNELBASE(00000000), ref: 0040632A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID: C:\
                                                                            • API String ID: 2295610775-3404278061
                                                                            • Opcode ID: 1839775ab65f4c7429e333cf5f3a5f1104f42c23ffe018d7624b5080913ebc3e
                                                                            • Instruction ID: f1da5dbc8fb4190b670de1866088b9aea297c62f24eccc1d76d376cb4bf46ee5
                                                                            • Opcode Fuzzy Hash: 1839775ab65f4c7429e333cf5f3a5f1104f42c23ffe018d7624b5080913ebc3e
                                                                            • Instruction Fuzzy Hash: A8D0123250A030ABC350177C7E0C88F7A989F163347218A36F4A6F21E0C7348C2286DC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040382D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 132 40382d-403845 call 4063a8 135 403847-403857 call 405f6e 132->135 136 403859-40388a call 405ef7 132->136 145 4038ad-4038d6 call 403af2 call 405a96 135->145 141 4038a2-4038a8 lstrcatA 136->141 142 40388c-40389d call 405ef7 136->142 141->145 142->141 150 4038dc-4038e1 145->150 151 40395d-403965 call 405a96 145->151 150->151 153 4038e3-403907 call 405ef7 150->153 157 403973-403998 LoadImageA 151->157 158 403967-40396e call 406032 151->158 153->151 159 403909-40390b 153->159 161 403a19-403a21 call 40140b 157->161 162 40399a-4039ca RegisterClassA 157->162 158->157 163 40391c-403928 lstrlenA 159->163 164 40390d-40391a call 4059d3 159->164 175 403a23-403a26 161->175 176 403a2b-403a36 call 403af2 161->176 165 4039d0-403a14 SystemParametersInfoA CreateWindowExA 162->165 166 403ae8 162->166 170 403950-403958 call 4059a8 call 406010 163->170 171 40392a-403938 lstrcmpiA 163->171 164->163 165->161 169 403aea-403af1 166->169 170->151 171->170 174 40393a-403944 GetFileAttributesA 171->174 178 403946-403948 174->178 179 40394a-40394b call 4059ef 174->179 175->169 185 403a3c-403a56 ShowWindow call 40633a 176->185 186 403abf-403ac7 call 405209 176->186 178->170 178->179 179->170 191 403a62-403a74 GetClassInfoA 185->191 192 403a58-403a5d call 40633a 185->192 193 403ae1-403ae3 call 40140b 186->193 194 403ac9-403acf 186->194 197 403a76-403a86 GetClassInfoA RegisterClassA 191->197 198 403a8c-403abd DialogBoxParamA call 40140b call 40377d 191->198 192->191 193->166 194->175 199 403ad5-403adc call 40140b 194->199 197->198 198->169 199->175
                                                                            APIs
                                                                              • Part of subcall function 004063A8: GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                              • Part of subcall function 004063A8: GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                            • lstrcatA.KERNEL32(1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,00000000), ref: 004038A8
                                                                            • lstrlenA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,?,?,?,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,00000000,C:\Program Files (x86)\Windows Provisioning,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75923410), ref: 0040391D
                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403930
                                                                            • GetFileAttributesA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0), ref: 0040393B
                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Windows Provisioning), ref: 00403984
                                                                              • Part of subcall function 00405F6E: wsprintfA.USER32 ref: 00405F7B
                                                                            • RegisterClassA.USER32(0042EBA0), ref: 004039C1
                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039D9
                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A0E
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403A44
                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A70
                                                                            • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A7D
                                                                            • RegisterClassA.USER32(0042EBA0), ref: 00403A86
                                                                            • DialogBoxParamA.USER32(?,00000000,00403BCA,00000000), ref: 00403AA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Windows Provisioning$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                            • API String ID: 1975747703-1409242338
                                                                            • Opcode ID: 15822f17e376e41266fbf8a251ac5c412d7bb8a3b85e81a9d7c16052a8cecaf4
                                                                            • Instruction ID: 5bdd09b32da2b5bd11ad56600dd1adb443959310d265eb20ccced3f07ac4f103
                                                                            • Opcode Fuzzy Hash: 15822f17e376e41266fbf8a251ac5c412d7bb8a3b85e81a9d7c16052a8cecaf4
                                                                            • Instruction Fuzzy Hash: B461C770340201AED620BB669D45F2B3E6CEB54749F80447FF981B22E2CB7D9D469B2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402DC4 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 206 402dc4-402e12 GetTickCount GetModuleFileNameA call 405ba9 209 402e14-402e19 206->209 210 402e1e-402e4c call 406010 call 4059ef call 406010 GetFileSize 206->210 211 402ff4-402ff8 209->211 218 402e52 210->218 219 402f37-402f45 call 402d60 210->219 220 402e57-402e6e 218->220 225 402f47-402f4a 219->225 226 402f9a-402f9f 219->226 223 402e70 220->223 224 402e72-402e7b call 40320d 220->224 223->224 232 402fa1-402fa9 call 402d60 224->232 233 402e81-402e88 224->233 228 402f4c-402f64 call 403223 call 40320d 225->228 229 402f6e-402f98 GlobalAlloc call 403223 call 402ffb 225->229 226->211 228->226 252 402f66-402f6c 228->252 229->226 257 402fab-402fbc 229->257 232->226 236 402f04-402f08 233->236 237 402e8a-402e9e call 405b64 233->237 242 402f12-402f18 236->242 243 402f0a-402f11 call 402d60 236->243 237->242 255 402ea0-402ea7 237->255 248 402f27-402f2f 242->248 249 402f1a-402f24 call 40645f 242->249 243->242 248->220 256 402f35 248->256 249->248 252->226 252->229 255->242 261 402ea9-402eb0 255->261 256->219 258 402fc4-402fc9 257->258 259 402fbe 257->259 262 402fca-402fd0 258->262 259->258 261->242 263 402eb2-402eb9 261->263 262->262 264 402fd2-402fed SetFilePointer call 405b64 262->264 263->242 265 402ebb-402ec2 263->265 269 402ff2 264->269 265->242 267 402ec4-402ee4 265->267 267->226 268 402eea-402eee 267->268 270 402ef0-402ef4 268->270 271 402ef6-402efe 268->271 269->211 270->256 270->271 271->242 272 402f00-402f02 271->272 272->242
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00402DD5
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,00000400), ref: 00402DF1
                                                                              • Part of subcall function 00405BA9: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 00405BAD
                                                                              • Part of subcall function 00405BA9: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 00402E3D
                                                                            • GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
                                                                            • Inst, xrefs: 00402EA9
                                                                            • soft, xrefs: 00402EB2
                                                                            • Error launching installer, xrefs: 00402E14
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
                                                                            • "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1, xrefs: 00402DC4
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 00402E1F, 00402E24, 00402E2A
                                                                            • TA, xrefs: 00402E52
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
                                                                            • Null, xrefs: 00402EBB
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                            • String ID: TA$"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Windows Provisioning$C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                            • API String ID: 2803837635-2918105217
                                                                            • Opcode ID: a6173edc5218a8736919d7ec244e80ad4ff8d0a671bf7eda1f584d4bdf14a1ba
                                                                            • Instruction ID: 027006cf2d98db9fa9c400e5027e86f3261d974ae097fd254c994c4dc937b6e6
                                                                            • Opcode Fuzzy Hash: a6173edc5218a8736919d7ec244e80ad4ff8d0a671bf7eda1f584d4bdf14a1ba
                                                                            • Instruction Fuzzy Hash: FF51E471900215ABCB20AF64DE89B9F7BB8EB14359F50403BF500B32D1C6BC9E459AAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406032 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 342 406032-40603d 343 406050-406066 342->343 344 40603f-40604e 342->344 345 406257-40625b 343->345 346 40606c-406077 343->346 344->343 348 406261-40626b 345->348 349 406089-406093 345->349 346->345 347 40607d-406084 346->347 347->345 351 406276-406277 348->351 352 40626d-406271 call 406010 348->352 349->348 350 406099-4060a0 349->350 353 4060a6-4060da 350->353 354 40624a 350->354 352->351 356 4060e0-4060ea 353->356 357 4061f7-4061fa 353->357 358 406254-406256 354->358 359 40624c-406252 354->359 360 406104 356->360 361 4060ec-4060f0 356->361 362 40622a-40622d 357->362 363 4061fc-4061ff 357->363 358->345 359->345 369 40610b-406112 360->369 361->360 366 4060f2-4060f6 361->366 364 40623b-406248 lstrlenA 362->364 365 40622f-406236 call 406032 362->365 367 406201-40620d call 405f6e 363->367 368 40620f-40621b call 406010 363->368 364->345 365->364 366->360 371 4060f8-4060fc 366->371 378 406220-406226 367->378 368->378 373 406114-406116 369->373 374 406117-406119 369->374 371->360 379 4060fe-406102 371->379 373->374 376 406152-406155 374->376 377 40611b-406136 call 405ef7 374->377 383 406165-406168 376->383 384 406157-406163 GetSystemDirectoryA 376->384 385 40613b-40613e 377->385 378->364 382 406228 378->382 379->369 386 4061ef-4061f5 call 40627a 382->386 388 4061d5-4061d7 383->388 389 40616a-406178 GetWindowsDirectoryA 383->389 387 4061d9-4061dc 384->387 390 406144-40614d call 406032 385->390 391 4061de-4061e2 385->391 386->364 387->386 387->391 388->387 392 40617a-406184 388->392 389->388 390->387 391->386 395 4061e4-4061ea lstrcatA 391->395 397 406186-406189 392->397 398 40619e-4061b4 SHGetSpecialFolderLocation 392->398 395->386 397->398 402 40618b-40619c 397->402 399 4061d2 398->399 400 4061b6-4061d0 SHGetPathFromIDListA CoTaskMemFree 398->400 399->388 400->387 400->399 402->387 402->398
                                                                            APIs
                                                                            • GetSystemDirectoryA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,00000400), ref: 0040615D
                                                                            • GetWindowsDirectoryA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,00000400,?,0042A050,00000000,0040516F,0042A050,00000000), ref: 00406170
                                                                            • SHGetSpecialFolderLocation.SHELL32(0040516F,759223A0,?,0042A050,00000000,0040516F,0042A050,00000000), ref: 004061AC
                                                                            • SHGetPathFromIDListA.SHELL32(759223A0,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0), ref: 004061BA
                                                                            • CoTaskMemFree.OLE32(759223A0), ref: 004061C6
                                                                            • lstrcatA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,\Microsoft\Internet Explorer\Quick Launch), ref: 004061EA
                                                                            • lstrlenA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,?,0042A050,00000000,0040516F,0042A050,00000000,00000000,0042277C,759223A0), ref: 0040623C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                            • String ID: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                            • API String ID: 717251189-1788430709
                                                                            • Opcode ID: b5f21783dff86301b55f28ea11f9c7815398c55a2ca1ca21ed943f87329636d9
                                                                            • Instruction ID: 0eb145c1bee873094c14c85ea59bbbcbcc52f889deb60e0de917f7e6e63be494
                                                                            • Opcode Fuzzy Hash: b5f21783dff86301b55f28ea11f9c7815398c55a2ca1ca21ed943f87329636d9
                                                                            • Instruction Fuzzy Hash: F1610171900114AEDF24AF64CC84BBE3BA5AB15314F52417FE913BA2D2C77C49A2CB5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 404 401759-40177c call 402b2c call 405a15 409 401786-401798 call 406010 call 4059a8 lstrcatA 404->409 410 40177e-401784 call 406010 404->410 415 40179d-4017a3 call 40627a 409->415 410->415 420 4017a8-4017ac 415->420 421 4017ae-4017b8 call 406313 420->421 422 4017df-4017e2 420->422 429 4017ca-4017dc 421->429 430 4017ba-4017c8 CompareFileTime 421->430 424 4017e4-4017e5 call 405b84 422->424 425 4017ea-401806 call 405ba9 422->425 424->425 432 401808-40180b 425->432 433 40187e-4018a7 call 405137 call 402ffb 425->433 429->422 430->429 434 401860-40186a call 405137 432->434 435 40180d-40184f call 406010 * 2 call 406032 call 406010 call 40572c 432->435 447 4018a9-4018ad 433->447 448 4018af-4018bb SetFileTime 433->448 445 401873-401879 434->445 435->420 468 401855-401856 435->468 449 4029c1 445->449 447->448 451 4018c1-4018cc FindCloseChangeNotification 447->451 448->451 455 4029c3-4029c7 449->455 453 4018d2-4018d5 451->453 454 4029b8-4029bb 451->454 457 4018d7-4018e8 call 406032 lstrcatA 453->457 458 4018ea-4018ed call 406032 453->458 454->449 462 4018f2-402353 call 40572c 457->462 458->462 462->454 462->455 468->445 470 401858-401859 468->470 470->434
                                                                            APIs
                                                                            • lstrcatA.KERNEL32(00000000,00000000,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,C:\Program Files (x86)\Windows Provisioning,00000000,00000000,00000031), ref: 00401798
                                                                            • CompareFileTime.KERNEL32(-00000014,?,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,00000000,00000000,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,C:\Program Files (x86)\Windows Provisioning,00000000,00000000,00000031), ref: 004017C2
                                                                              • Part of subcall function 00406010: lstrcpynA.KERNEL32(?,?,00000400,0040333D,Windows Provisioning Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040601D
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(00403156,0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                              • Part of subcall function 00405137: lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,0042277C,759223A0), ref: 00405193
                                                                              • Part of subcall function 00405137: SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                            • String ID: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0$C:\Program Files (x86)\Windows Provisioning$C:\Program Files (x86)\Windows Provisioning
                                                                            • API String ID: 1941528284-387393673
                                                                            • Opcode ID: d2d4c9be4c77887772f7a063183bc6da9d3610935c72e1bf3270bbb4a4cc9717
                                                                            • Instruction ID: fcac4804817dd72ce497849c2c59a0292666c96c0e268c836f952ab8254f0f2b
                                                                            • Opcode Fuzzy Hash: d2d4c9be4c77887772f7a063183bc6da9d3610935c72e1bf3270bbb4a4cc9717
                                                                            • Instruction Fuzzy Hash: 5941E571900114BACF10BBB5CD45E9F3A79EF45369F20823BF412F20E2DA7C8A519A6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402FFB Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 471 402ffb-40300f 472 403011 471->472 473 403018-403021 471->473 472->473 474 403023 473->474 475 40302a-40302f 473->475 474->475 476 403031-40303a call 403223 475->476 477 40303f-40304c call 40320d 475->477 476->477 481 403052-403056 477->481 482 4031fb 477->482 483 4031a6-4031a8 481->483 484 40305c-4030a5 GetTickCount 481->484 485 4031fd-4031fe 482->485 486 4031e8-4031eb 483->486 487 4031aa-4031ad 483->487 488 403203 484->488 489 4030ab-4030b3 484->489 490 403206-40320a 485->490 491 4031f0-4031f9 call 40320d 486->491 492 4031ed 486->492 487->488 493 4031af 487->493 488->490 494 4030b5 489->494 495 4030b8-4030c6 call 40320d 489->495 491->482 504 403200 491->504 492->491 498 4031b2-4031b8 493->498 494->495 495->482 503 4030cc-4030d5 495->503 501 4031ba 498->501 502 4031bc-4031ca call 40320d 498->502 501->502 502->482 508 4031cc-4031d1 call 405c50 502->508 507 4030db-4030fb call 4064cd 503->507 504->488 513 403101-403114 GetTickCount 507->513 514 40319e-4031a0 507->514 512 4031d6-4031d8 508->512 515 4031a2-4031a4 512->515 516 4031da-4031e4 512->516 517 403116-40311e 513->517 518 403159-40315b 513->518 514->485 515->485 516->498 519 4031e6 516->519 520 403120-403124 517->520 521 403126-403156 MulDiv wsprintfA call 405137 517->521 522 403192-403196 518->522 523 40315d-403161 518->523 519->488 520->518 520->521 521->518 522->489 524 40319c 522->524 526 403163-40316a call 405c50 523->526 527 403178-403183 523->527 524->488 531 40316f-403171 526->531 528 403186-40318a 527->528 528->507 532 403190 528->532 531->515 533 403173-403176 531->533 532->488 533->528
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CountTick$wsprintf
                                                                            • String ID: ... %d%%$|'B
                                                                            • API String ID: 551687249-769249321
                                                                            • Opcode ID: fadbfff98126c3f33fc218ff52c7570f2bc54738a50a490896210387b9f65f46
                                                                            • Instruction ID: 2f86f0e091d903dd4c8dc1f0d7d1d97a23866136c8ad304ef4da6da149bc5d25
                                                                            • Opcode Fuzzy Hash: fadbfff98126c3f33fc218ff52c7570f2bc54738a50a490896210387b9f65f46
                                                                            • Instruction Fuzzy Hash: D2518D71801219EBDB10DF65DA44A9E7FB8EF08316F10817BE810B72E1C7789B44CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004055FD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 534 4055fd-405648 CreateDirectoryA 535 40564a-40564c 534->535 536 40564e-40565b GetLastError 534->536 537 405675-405677 535->537 536->537 538 40565d-405671 SetFileSecurityA 536->538 538->535 539 405673 GetLastError 538->539 539->537
                                                                            APIs
                                                                            • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405640
                                                                            • GetLastError.KERNEL32 ref: 00405654
                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405669
                                                                            • GetLastError.KERNEL32 ref: 00405673
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 004055FD
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405623
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 3449924974-980186624
                                                                            • Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                            • Instruction ID: eb9787142c6b7489d22a19a099e3bfbf20428df61be735a73e08cf58b85abbae
                                                                            • Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                            • Instruction Fuzzy Hash: 89010871C00219EAEF009FA1C904BEFBBB8EB14354F00847AD545B6290DB7996088FA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040633A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 540 40633a-40635a GetSystemDirectoryA 541 40635c 540->541 542 40635e-406360 540->542 541->542 543 406370-406372 542->543 544 406362-40636a 542->544 546 406373-4063a5 wsprintfA LoadLibraryExA 543->546 544->543 545 40636c-40636e 544->545 545->546
                                                                            APIs
                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406351
                                                                            • wsprintfA.USER32 ref: 0040638A
                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040639E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                            • API String ID: 2200240437-4240819195
                                                                            • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                            • Instruction ID: 4d0fdf3fe302aa3e605d302367287b0bc06203fc89102858e08200231af957cf
                                                                            • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                            • Instruction Fuzzy Hash: 9EF0F670510609ABEB24AB74DD0DFEB366CAB08305F14057AAA86E11D1EA78D9358BDC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405BD8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 547 405bd8-405be2 548 405be3-405c0e GetTickCount GetTempFileNameA 547->548 549 405c10-405c12 548->549 550 405c1d-405c1f 548->550 549->548 552 405c14 549->552 551 405c17-405c1a 550->551 552->551
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00405BEC
                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C06
                                                                            Strings
                                                                            • "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1, xrefs: 00405BD8
                                                                            • nsa, xrefs: 00405BE3
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BDB
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$C:\Users\user\AppData\Local\Temp\$nsa
                                                                            • API String ID: 1716503409-3809531280
                                                                            • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                            • Instruction ID: 7981c9ddf24778652055132877b92488972f9a5eb9cf132aa873dca7e4a118a1
                                                                            • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                            • Instruction Fuzzy Hash: 0FF082363183046BEB109F56DD04B9B7BA9DFD2750F14803BFA489B290D6B4A9548B58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405A96 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 553 405a96-405ab1 call 406010 call 405a41 558 405ab3-405ab5 553->558 559 405ab7-405ac4 call 40627a 553->559 560 405b09-405b0b 558->560 563 405ad0-405ad2 559->563 564 405ac6-405aca 559->564 566 405ae8-405af1 lstrlenA 563->566 564->558 565 405acc-405ace 564->565 565->558 565->563 567 405af3-405b07 call 4059a8 GetFileAttributesA 566->567 568 405ad4-405adb call 406313 566->568 567->560 573 405ae2-405ae3 call 4059ef 568->573 574 405add-405ae0 568->574 573->566 574->558 574->573
                                                                            APIs
                                                                              • Part of subcall function 00406010: lstrcpynA.KERNEL32(?,?,00000400,0040333D,Windows Provisioning Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040601D
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(?,?,C:\,?,00405AAD,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A4F
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A54
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A68
                                                                            • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AE9
                                                                            • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405AF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                            • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 3248276644-1964270705
                                                                            • Opcode ID: a0e90dbc06f1550ade5f4dfcb0fddeac6c7db65a8ba4490088ce0944d0043635
                                                                            • Instruction ID: 19c9bca0149f7da3aa3ccb8fe98c792d35a3de88cc2685bd8f8020a319c38c36
                                                                            • Opcode Fuzzy Hash: a0e90dbc06f1550ade5f4dfcb0fddeac6c7db65a8ba4490088ce0944d0043635
                                                                            • Instruction Fuzzy Hash: 94F0F425305D6116DA22323A5D85AAF2A44CED632471A073BF852B12C3DB3C89439DFE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 576 40206a-402076 577 402131-402133 576->577 578 40207c-402092 call 402b2c * 2 576->578 579 4022a4-4022a9 call 401423 577->579 588 4020a1-4020af LoadLibraryExA 578->588 589 402094-40209f GetModuleHandleA 578->589 585 4029b8-4029c7 579->585 590 4020b1-4020be GetProcAddress 588->590 591 40212a-40212c 588->591 589->588 589->590 593 4020c0-4020c6 590->593 594 4020fd-402102 call 405137 590->594 591->579 595 4020c8-4020d4 call 401423 593->595 596 4020df-4020f3 593->596 599 402107-40210a 594->599 595->599 607 4020d6-4020dd 595->607 601 4020f8-4020fb 596->601 599->585 602 402110-402118 call 4037cd 599->602 601->599 602->585 606 40211e-402125 FreeLibrary 602->606 606->585 607->599
                                                                            APIs
                                                                            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                              • Part of subcall function 00405137: lstrlenA.KERNEL32(00403156,0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                              • Part of subcall function 00405137: lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,0042277C,759223A0), ref: 00405193
                                                                              • Part of subcall function 00405137: SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                              • Part of subcall function 00405137: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2987980305-0
                                                                            • Opcode ID: 9ad9ce2a502c8eb59803e63aa1a3e0a6c3f0f64fdee950c1b1f2159af15bdaac
                                                                            • Instruction ID: 166643d80e3f452ca3a3677f95ea327ecca8534a485506fba34b2def260d9046
                                                                            • Opcode Fuzzy Hash: 9ad9ce2a502c8eb59803e63aa1a3e0a6c3f0f64fdee950c1b1f2159af15bdaac
                                                                            • Instruction Fuzzy Hash: EA21C671900214ABCF217FA4CF89AAE7A74AF15318F20413BF601B62D0D6FD49829A5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 608 4015bb-4015ce call 402b2c call 405a41 613 4015d0-4015e3 call 4059d3 608->613 614 401624-401627 608->614 622 4015e5-4015e8 613->622 623 4015fb-4015fc call 40567a 613->623 616 401652-4022a9 call 401423 614->616 617 401629-401644 call 401423 call 406010 SetCurrentDirectoryA 614->617 630 4029b8-4029c7 616->630 617->630 636 40164a-40164d 617->636 622->623 627 4015ea-4015f1 call 405697 622->627 629 401601-401603 623->629 627->623 640 4015f3-4015f4 call 4055fd 627->640 633 401605-40160a 629->633 634 40161a-401622 629->634 638 401617 633->638 639 40160c-401615 GetFileAttributesA 633->639 634->613 634->614 636->630 638->634 639->634 639->638 643 4015f9 640->643 643->629
                                                                            APIs
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(?,?,C:\,?,00405AAD,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A4F
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A54
                                                                              • Part of subcall function 00405A41: CharNextA.USER32(00000000), ref: 00405A68
                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                              • Part of subcall function 004055FD: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405640
                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files (x86)\Windows Provisioning,00000000,00000000,000000F0), ref: 0040163C
                                                                            Strings
                                                                            • C:\Program Files (x86)\Windows Provisioning, xrefs: 00401631
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                            • String ID: C:\Program Files (x86)\Windows Provisioning
                                                                            • API String ID: 1892508949-401443821
                                                                            • Opcode ID: 5f753e0658c4706503074469e71019f2b9f731883a19c30285f75084ce00b664
                                                                            • Instruction ID: 1afb8a6b6fc663fc0b529d5452f3d1f5a7876e1f873962654dbae4e79628cbca
                                                                            • Opcode Fuzzy Hash: 5f753e0658c4706503074469e71019f2b9f731883a19c30285f75084ce00b664
                                                                            • Instruction Fuzzy Hash: 08112731508141EBCB217FB54D41A7F36B4AE96324F68093FE4D1B22E2D63D4842AA2F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405EF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 644 405ef7-405f29 call 405e96 647 405f66 644->647 648 405f2b-405f58 RegQueryValueExA RegCloseKey 644->648 649 405f69-405f6b 647->649 648->647 650 405f5a-405f5e 648->650 650->649 651 405f60-405f64 650->651 651->647 651->649
                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,0042A050,?,?,?,00000002,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,?,0040613B,80000002), ref: 00405F3D
                                                                            • RegCloseKey.KERNELBASE(?,?,0040613B,80000002,Software\Microsoft\Windows\CurrentVersion,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,?,0042A050), ref: 00405F48
                                                                            Strings
                                                                            • "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0, xrefs: 00405EFA, 00405F2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0
                                                                            • API String ID: 3356406503-2912109781
                                                                            • Opcode ID: 074503bd4819f587f33d8f4257f8029770edcc3592d90d126d241b317bef6944
                                                                            • Instruction ID: 2ff6a7a209fcbf00177f68e0cac6a7fed3d2e9df1b1dc864ec66af95abe17f1f
                                                                            • Opcode Fuzzy Hash: 074503bd4819f587f33d8f4257f8029770edcc3592d90d126d241b317bef6944
                                                                            • Instruction Fuzzy Hash: 63017C7250060AABDF228F61CD09FDB3FA8EF59364F04403AF955E2190D2B8DA54CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 652 4056af-4056e0 CreateProcessA 653 4056e2-4056eb CloseHandle 652->653 654 4056ee-4056ef 652->654 653->654
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 004056D8
                                                                            • CloseHandle.KERNEL32(?), ref: 004056E5
                                                                            Strings
                                                                            • Error launching installer, xrefs: 004056C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: Error launching installer
                                                                            • API String ID: 3712363035-66219284
                                                                            • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                            • Instruction ID: d682804100e664e073205113f6b11307167482a28e2818ee20dd6d85df95f7a7
                                                                            • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                            • Instruction Fuzzy Hash: CFE046F0640209BFEB109FA0EE49F7F7AADEB00704F404521BD00F2190EA7498088A7C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403798 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,00403770,0040358A,?,?,00000006,00000008,0000000A), ref: 004037B2
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004037B9
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403798
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Free$GlobalLibrary
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 1100898210-823278215
                                                                            • Opcode ID: 248c780681ff10c09d9810c58c710ba8abcca500869ff380da07a7f320702544
                                                                            • Instruction ID: 06ba742c3ad1fb67bc09d12af4c86e1058789e05b1a36190638fabe2eea0851a
                                                                            • Opcode Fuzzy Hash: 248c780681ff10c09d9810c58c710ba8abcca500869ff380da07a7f320702544
                                                                            • Instruction Fuzzy Hash: EAE0C27352212097C7312F15EE04B1AB7A86F86F22F09403AE8407B2A087741C438BCC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040243D Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(0040AC18,00000023,00000011,00000002), ref: 00402488
                                                                            • RegSetValueExA.KERNELBASE(?,?,?,?,0040AC18,00000000,00000011,00000002), ref: 004024C5
                                                                            • RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 004025A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValuelstrlen
                                                                            • String ID:
                                                                            • API String ID: 2655323295-0
                                                                            • Opcode ID: 4e63be427a74e043a8ca9afa508d3f5c36f16e597551305d3883f145c9c59f91
                                                                            • Instruction ID: 559559637a649bcd28a1cc64439ef7fed2494afba8ff337a7fe29a68e97d1b61
                                                                            • Opcode Fuzzy Hash: 4e63be427a74e043a8ca9afa508d3f5c36f16e597551305d3883f145c9c59f91
                                                                            • Instruction Fuzzy Hash: 26115E71E00218AFEB01AFA58E49EAE7AB4EB48314F21443BF504B71C1D6F95D419B68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405790 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00405B84: GetFileAttributesA.KERNELBASE(?,?,0040579C,?,?,00000000,0040597F,?,?,?,?), ref: 00405B89
                                                                              • Part of subcall function 00405B84: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B9D
                                                                            • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,0040597F), ref: 004057AB
                                                                            • DeleteFileA.KERNELBASE(?,?,?,00000000,0040597F), ref: 004057B3
                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 004057CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                            • String ID:
                                                                            • API String ID: 1655745494-0
                                                                            • Opcode ID: 1b58439dbc4d5c75e8d4a1b60800a1a05f091bf10d9841f58e7402e1275724a5
                                                                            • Instruction ID: 506f0000beea922c53fa0ef56bc3bb9d2703a559d1119bf8978eeb103538cabb
                                                                            • Opcode Fuzzy Hash: 1b58439dbc4d5c75e8d4a1b60800a1a05f091bf10d9841f58e7402e1275724a5
                                                                            • Instruction Fuzzy Hash: 6CE0E531115AA197D61057308E0CB5B3AA8DF86328F19093BF992B31D0C7784446DA7E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040250A
                                                                            • RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 004025A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3356406503-0
                                                                            • Opcode ID: 96c36fbc50e44a3ebb07383f364263b9dc7d5f2eede6118d18d4b03762f6bff5
                                                                            • Instruction ID: 8c7c89e59df7b4709da067e0fd7ec9be99446db0afc11a297a964fac99c2b4a6
                                                                            • Opcode Fuzzy Hash: 96c36fbc50e44a3ebb07383f364263b9dc7d5f2eede6118d18d4b03762f6bff5
                                                                            • Instruction Fuzzy Hash: E5116A71901205EEDB11CF64CA599AEBAB4AB19348F60447FE042B62C0D6B88A45DB6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 3ffebd5fca59fb87aab51f7597ede924ce92eaed1a0ec0a619fe9c5b1ad01a7d
                                                                            • Instruction ID: 5ed4d9c38c73c282456bb639181f16eab54b9a7fb1a82fe129ff52a3f74c88ba
                                                                            • Opcode Fuzzy Hash: 3ffebd5fca59fb87aab51f7597ede924ce92eaed1a0ec0a619fe9c5b1ad01a7d
                                                                            • Instruction Fuzzy Hash: B101F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004063A8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,?,?,004032DE,0000000A), ref: 004063BA
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004063D5
                                                                              • Part of subcall function 0040633A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406351
                                                                              • Part of subcall function 0040633A: wsprintfA.USER32 ref: 0040638A
                                                                              • Part of subcall function 0040633A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040639E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2547128583-0
                                                                            • Opcode ID: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
                                                                            • Instruction ID: 650a49b09a3c495eabc0f371936d9c907298e200c4f2363c251d84495e191d7a
                                                                            • Opcode Fuzzy Hash: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
                                                                            • Instruction Fuzzy Hash: B4E08C32604220ABD2106A74AE0493B72A89E94710302083EF947F2240DB389C3697AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405BA9 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 00405BAD
                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                            • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                                                            • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                            • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B84 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,?,0040579C,?,?,00000000,0040597F,?,?,?,?), ref: 00405B89
                                                                            • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B9D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
                                                                            • Instruction ID: 89bb1c08115ccb47c9876ad1094a3663263f91dea81084495bed50ebcc9a35d2
                                                                            • Opcode Fuzzy Hash: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
                                                                            • Instruction Fuzzy Hash: B7D0C972504421ABD2102728AE0889BBBA5DB542717028A36F9A5A22B1DB304C569A99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403753 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(FFFFFFFF,0040358A,?,?,00000006,00000008,0000000A), ref: 0040375E
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\nsmE645.tmp\, xrefs: 00403772
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsmE645.tmp\
                                                                            • API String ID: 2962429428-1972978657
                                                                            • Opcode ID: 4bfc4a86c4512e3107b8fb86be471d5238cf24995b86bfa467bc0e008276a2a3
                                                                            • Instruction ID: fc3c4bd29221364ca44687d693abbcbbd121fb750d4ff3e3919dc32638d5829b
                                                                            • Opcode Fuzzy Hash: 4bfc4a86c4512e3107b8fb86be471d5238cf24995b86bfa467bc0e008276a2a3
                                                                            • Instruction Fuzzy Hash: F6C012B0540700B6C5647F799E8F9053A545B41736F608726B0B8F20F1C73C4659556F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040567A Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,0040325E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 00405680
                                                                            • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040568E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                            • Instruction ID: cb450b3a329ff4c2b820c3640ee2c86a22e1ba63869c3c930ac7c2b00640337e
                                                                            • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                            • Instruction Fuzzy Hash: B3C04C302145029EDA515B319E08B1B7A59AB90781F528839654AE81B0DE768455DD2E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405EC4 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402BDD,00000000,?,?), ref: 00405EED
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                            • Instruction ID: 1d4fb08659ff36ace7b23f5759770be8a1f2413d8495cc917bdfefdc51ec9cff
                                                                            • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                            • Instruction Fuzzy Hash: 64E0E67201050DBEDF195F50DD0AD7B371DE704304F10492EFA45D5150E6B5AA716B78
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C50 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031D6,00000000,0041D428,000000FF,0041D428,000000FF,000000FF,00000004,00000000), ref: 00405C64
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                            • Instruction ID: df976955bb7b77361248817f919be03bb6bd2f6f3b4dc1c0c3d16748aaf5f5c5
                                                                            • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                            • Instruction Fuzzy Hash: 65E0EC3221476EABEF509F559D04EEB7B6CEB06360F004436FE25E2550D631E9219BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C21 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403220,00000000,00000000,0040304A,000000FF,00000004,00000000,00000000,00000000), ref: 00405C35
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                            • Instruction ID: 6d14d449f293f6f00ca5a49b865ea561f53b7d8d8b79739f6419f9b8fb6d3ad5
                                                                            • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                            • Instruction Fuzzy Hash: 9EE0EC3221476AABEF109E559C00EEB7B6CEB05361F008836F915E3150D631E8219FA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405E96 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0042A050,?,?,00405F24,0042A050,?,?,?,00000002,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0), ref: 00405EBA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                            • Instruction ID: 4562f56e26d1b405a4b2aa3aa7a0366252bc09d65f2ff82b9814b1ce5e7315b9
                                                                            • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                            • Instruction Fuzzy Hash: 19D0EC3200020DBADF115F90DD05FAB3B2EEB04310F004426FA45A50A0D775D630AA58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: e96fbec41495e15a4c7bae773e545c4494f3eb1603eb57e13be7f4f976825ac0
                                                                            • Instruction ID: 4f8ec7b4fa93eeb61d23c1d92a418e90caec6e25b57ca3d9eeae261b5adaa5a1
                                                                            • Opcode Fuzzy Hash: e96fbec41495e15a4c7bae773e545c4494f3eb1603eb57e13be7f4f976825ac0
                                                                            • Instruction Fuzzy Hash: 0FD012727042009BCB11EFA8AB08A5E7775EB54324F600537D101F21D1D2B885459759
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403223 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 00403231
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
                                                                            • Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
                                                                            • Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
                                                                            • Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00404AA3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404ABA
                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404AC7
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B16
                                                                            • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B2D
                                                                            • SetWindowLongA.USER32(?,000000FC,004050AB), ref: 00404B47
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B59
                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B6D
                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 00404B83
                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B8F
                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B9F
                                                                            • DeleteObject.GDI32(00000110), ref: 00404BA4
                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BCF
                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BDB
                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C75
                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404CA5
                                                                              • Part of subcall function 004040D3: SendMessageA.USER32(00000028,?,00000001,00403F03), ref: 004040E1
                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CB9
                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00404CE7
                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CF5
                                                                            • ShowWindow.USER32(?,00000005), ref: 00404D05
                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E00
                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E65
                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E7A
                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E9E
                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404EBE
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404ED3
                                                                            • GlobalFree.KERNEL32(?), ref: 00404EE3
                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F5C
                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00405005
                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405014
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405034
                                                                            • ShowWindow.USER32(?,00000000), ref: 00405082
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 0040508D
                                                                            • ShowWindow.USER32(00000000), ref: 00405094
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $M$N
                                                                            • API String ID: 2564846305-813528018
                                                                            • Opcode ID: 7979eb89c2ba789210c478efbd40ca5770d0cf58fb7a2a7deeb4f629e08dd5c3
                                                                            • Instruction ID: b93138f0eedc2449d1e9bfda9be5258a8e47cdb0f0c7c2118b7039f3366b9e37
                                                                            • Opcode Fuzzy Hash: 7979eb89c2ba789210c478efbd40ca5770d0cf58fb7a2a7deeb4f629e08dd5c3
                                                                            • Instruction Fuzzy Hash: AA026EB0900209AFEB20DFA5DD45AAE7BB5FB44314F14813AF614B62E0C7799D52CF58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405275 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 004052D4
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004052E3
                                                                            • GetClientRect.USER32(?,?), ref: 00405320
                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405327
                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405348
                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405359
                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040536C
                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040537A
                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040538D
                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004053AF
                                                                            • ShowWindow.USER32(?,00000008), ref: 004053C3
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004053E4
                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053F4
                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040540D
                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405419
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 004052F2
                                                                              • Part of subcall function 004040D3: SendMessageA.USER32(00000028,?,00000001,00403F03), ref: 004040E1
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405435
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005209,00000000), ref: 00405443
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040544A
                                                                            • ShowWindow.USER32(00000000), ref: 0040546D
                                                                            • ShowWindow.USER32(?,00000008), ref: 00405474
                                                                            • ShowWindow.USER32(00000008), ref: 004054BA
                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054EE
                                                                            • CreatePopupMenu.USER32 ref: 004054FF
                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405514
                                                                            • GetWindowRect.USER32(?,000000FF), ref: 00405534
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040554D
                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405589
                                                                            • OpenClipboard.USER32(00000000), ref: 00405599
                                                                            • EmptyClipboard.USER32 ref: 0040559F
                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 004055A8
                                                                            • GlobalLock.KERNEL32(00000000), ref: 004055B2
                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055C6
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004055DF
                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 004055EA
                                                                            • CloseClipboard.USER32 ref: 004055F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                            • String ID:
                                                                            • API String ID: 590372296-0
                                                                            • Opcode ID: 850865324eda7255bc617561a744910c99d6829a0b955d2a94bbb97841d7110d
                                                                            • Instruction ID: 66d789517199d7de7cfadb6731c275bc9a2b232ae8febcf914e4846c803f5e83
                                                                            • Opcode Fuzzy Hash: 850865324eda7255bc617561a744910c99d6829a0b955d2a94bbb97841d7110d
                                                                            • Instruction Fuzzy Hash: A3A147B0900608BFDB119F61DE89AAF7F79FB08354F40403AFA41BA1A0C7755E519F68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403BCA Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C06
                                                                            • ShowWindow.USER32(?), ref: 00403C23
                                                                            • DestroyWindow.USER32 ref: 00403C37
                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C53
                                                                            • GetDlgItem.USER32(?,?), ref: 00403C74
                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C88
                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403C8F
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403D3D
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403D47
                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403D61
                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403DB2
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403E58
                                                                            • ShowWindow.USER32(00000000,?), ref: 00403E79
                                                                            • EnableWindow.USER32(?,?), ref: 00403E8B
                                                                            • EnableWindow.USER32(?,?), ref: 00403EA6
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EBC
                                                                            • EnableMenuItem.USER32(00000000), ref: 00403EC3
                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EDB
                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403EEE
                                                                            • lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403F18
                                                                            • SetWindowTextA.USER32(?,0042A870), ref: 00403F27
                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040405B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                            • String ID:
                                                                            • API String ID: 184305955-0
                                                                            • Opcode ID: 5ffd1eee2a53c0bce8439eebe02f74cc0bfe9fdaa9e9cbb129ddddf772baf92f
                                                                            • Instruction ID: 8391a727dd330e9af47019fb45b898bbd0b6ec160f5193fdc8e4d7e88c7c5567
                                                                            • Opcode Fuzzy Hash: 5ffd1eee2a53c0bce8439eebe02f74cc0bfe9fdaa9e9cbb129ddddf772baf92f
                                                                            • Instruction Fuzzy Hash: 39C1B171600704AFDB20AF62EE45E2B3AA9FB95706F40043EF642B51E1CB799852DB1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404209 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404294
                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 004042A8
                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042C6
                                                                            • GetSysColor.USER32(?), ref: 004042D7
                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042E6
                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042F5
                                                                            • lstrlenA.KERNEL32(?), ref: 004042F8
                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404307
                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040431C
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040437E
                                                                            • SendMessageA.USER32(00000000), ref: 00404381
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004043AC
                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043EC
                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 004043FB
                                                                            • SetCursor.USER32(00000000), ref: 00404404
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 0040441A
                                                                            • SetCursor.USER32(00000000), ref: 0040441D
                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404449
                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040445D
                                                                            Strings
                                                                            • N, xrefs: 0040439A
                                                                            • "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0, xrefs: 004043D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                            • String ID: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0$N
                                                                            • API String ID: 3103080414-2896922254
                                                                            • Opcode ID: 448c26d367fa4ce24fea73f86f3c1ebcb169a2680b3cc918c82a0762cc84cb42
                                                                            • Instruction ID: e1855738532d9be41fcebd9a9c4146cd0e241e622fdf0fb061f71f1fb699f553
                                                                            • Opcode Fuzzy Hash: 448c26d367fa4ce24fea73f86f3c1ebcb169a2680b3cc918c82a0762cc84cb42
                                                                            • Instruction Fuzzy Hash: 2661A4B1A40208BFDB109F61DD45F6A7B69FB84314F00803AFB057A1D1C7B8A952CF98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                            • DrawTextA.USER32(00000000,Windows Provisioning Setup,000000FF,00000010,00000820), ref: 00401156
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F$Windows Provisioning Setup
                                                                            • API String ID: 941294808-1343353702
                                                                            • Opcode ID: 7b2e9886d4a0a86190cfd2eb73994447d751dd60ad8b28ccd238e082d53d4ecc
                                                                            • Instruction ID: a83fe4be3842045fa55e49ef5e4516223b86fcdf0b70f1128ddfc4a40beffe79
                                                                            • Opcode Fuzzy Hash: 7b2e9886d4a0a86190cfd2eb73994447d751dd60ad8b28ccd238e082d53d4ecc
                                                                            • Instruction Fuzzy Hash: 48418C71400209AFCB058FA5DE459BF7BB9FF45314F00842EF9A1AA1A0C7749955DFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404530 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040457F
                                                                            • SetWindowTextA.USER32(00000000,?), ref: 004045A9
                                                                            • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 0040465A
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404665
                                                                            • lstrcmpiA.KERNEL32("post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0,0042A870), ref: 00404697
                                                                            • lstrcatA.KERNEL32(?,"post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0), ref: 004046A3
                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004046B5
                                                                              • Part of subcall function 00405710: GetDlgItemTextA.USER32(?,?,00000400,004046EC), ref: 00405723
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062D2
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062DF
                                                                              • Part of subcall function 0040627A: CharNextA.USER32(?,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062E4
                                                                              • Part of subcall function 0040627A: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062F4
                                                                            • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 00404773
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040478E
                                                                              • Part of subcall function 004048E7: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404802,000000DF,00000000,00000400,?), ref: 00404985
                                                                              • Part of subcall function 004048E7: wsprintfA.USER32 ref: 0040498D
                                                                              • Part of subcall function 004048E7: SetDlgItemTextA.USER32(?,0042A870), ref: 004049A0
                                                                            Strings
                                                                            • C:\Program Files (x86)\Windows Provisioning, xrefs: 00404680
                                                                            • A, xrefs: 00404653
                                                                            • "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0, xrefs: 00404691, 00404696, 004046A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "post_install.exe" exe=C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe|inst=C:\Program Files (x86)\Windows Provisioning|s=1|k=|p=|r=0$A$C:\Program Files (x86)\Windows Provisioning
                                                                            • API String ID: 2624150263-1516350515
                                                                            • Opcode ID: f8c5b323b79a30612e5f20638997160abd30a80c2805ffb51c5d0b55a3138d2a
                                                                            • Instruction ID: 05eea3de79cf24fe9bb33e9012793c4f482d3b98f46f23a5f19240ee3c7d349e
                                                                            • Opcode Fuzzy Hash: f8c5b323b79a30612e5f20638997160abd30a80c2805ffb51c5d0b55a3138d2a
                                                                            • Instruction Fuzzy Hash: 78A160B1900218ABDB11AFA6CD45AAF77B8AF85314F14843BF601B62D1D77C8A418B6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C7F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E10,?,?), ref: 00405CB0
                                                                            • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405CB9
                                                                              • Part of subcall function 00405B0E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1E
                                                                              • Part of subcall function 00405B0E: lstrlenA.KERNEL32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B50
                                                                            • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405CD6
                                                                            • wsprintfA.USER32 ref: 00405CF4
                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405D2F
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D3E
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D76
                                                                            • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DCC
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405DDD
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DE4
                                                                              • Part of subcall function 00405BA9: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 00405BAD
                                                                              • Part of subcall function 00405BA9: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                            • String ID: %s=%s$[Rename]
                                                                            • API String ID: 2171350718-1727408572
                                                                            • Opcode ID: f77fbfde1968c6cc6d109ac9641d83ed14e9d60a65f6ef3fc352fd67b9dcf635
                                                                            • Instruction ID: 5f10e72b046bb4c3808544f3b96a1b07f09bbbda3d3e46611c613b54f85f09c3
                                                                            • Opcode Fuzzy Hash: f77fbfde1968c6cc6d109ac9641d83ed14e9d60a65f6ef3fc352fd67b9dcf635
                                                                            • Instruction Fuzzy Hash: F631F231600B15ABD2207BA59D4DFAB3A6CDF42754F14443BFA01F62D2DA7CE8058ABD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040627A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062D2
                                                                            • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062DF
                                                                            • CharNextA.USER32(?,"C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062E4
                                                                            • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403246,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004062F4
                                                                            Strings
                                                                            • "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1, xrefs: 004062B6
                                                                            • *?|<>/":, xrefs: 004062C2
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040627B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: "C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe" -s=1$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 589700163-3813556669
                                                                            • Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
                                                                            • Instruction ID: 6247d5b4c7038ff51e561e9c2f84ae45375c8bcee8d01d3c6d5c321a6abb2e6d
                                                                            • Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
                                                                            • Instruction Fuzzy Hash: 2211E95180479029EB3226246C40BBB7F884F97751F1A00BFE8C2722C1C67C5C52867D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404105 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00404122
                                                                            • GetSysColor.USER32(00000000), ref: 00404160
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040416C
                                                                            • SetBkMode.GDI32(?,?), ref: 00404178
                                                                            • GetSysColor.USER32(?), ref: 0040418B
                                                                            • SetBkColor.GDI32(?,?), ref: 0040419B
                                                                            • DeleteObject.GDI32(?), ref: 004041B5
                                                                            • CreateBrushIndirect.GDI32(?), ref: 004041BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
                                                                            • Instruction ID: 549509973aaa983cd2a57f184cdff44cbcc336d3318ba047a0b32752f088f93e
                                                                            • Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
                                                                            • Instruction Fuzzy Hash: 7D2162715007049BCB219F68DD4CB5BBBF8AF91714B048A3EEA96A66E0C734E984CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405137 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000,?), ref: 00405170
                                                                            • lstrlenA.KERNEL32(00403156,0042A050,00000000,0042277C,759223A0,?,?,?,?,?,?,?,?,?,00403156,00000000), ref: 00405180
                                                                            • lstrcatA.KERNEL32(0042A050,00403156,00403156,0042A050,00000000,0042277C,759223A0), ref: 00405193
                                                                            • SetWindowTextA.USER32(0042A050,0042A050), ref: 004051A5
                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051CB
                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051E5
                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 004051F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2531174081-0
                                                                            • Opcode ID: 2f522a59394b9be444cbcacf3a1b4d18be92345b96de9eacb0d1f76aaf85f54b
                                                                            • Instruction ID: 7d4789c60296e211bada9a9e2a19d16c38d622f2d1b0cadef69f4b7d7b7d07eb
                                                                            • Opcode Fuzzy Hash: 2f522a59394b9be444cbcacf3a1b4d18be92345b96de9eacb0d1f76aaf85f54b
                                                                            • Instruction Fuzzy Hash: CE21A971900118BFDB119FA5CD85ADEBFA9EF08354F04807AF844A6291C7398E408FA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004049F1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404A0C
                                                                            • GetMessagePos.USER32 ref: 00404A14
                                                                            • ScreenToClient.USER32(?,?), ref: 00404A2E
                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A40
                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A66
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
                                                                            • Instruction ID: dd2724b276b0829887a11dc4f26b79c7971af77995a7330ace4ae867cc8e4813
                                                                            • Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
                                                                            • Instruction Fuzzy Hash: 4B018071940218BADB00DB94DD81BFEBBB8AF95711F10412BBA11B61C0C7B455018FA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
                                                                            • MulDiv.KERNEL32(00F62612,00000064,00F62616), ref: 00402D23
                                                                            • wsprintfA.USER32 ref: 00402D33
                                                                            • SetWindowTextA.USER32(?,?), ref: 00402D43
                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 00402D2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: f8f7fb574b01a37347c2b5a7030e5195f98b1542352a9ab3f35e70a1f9b9ac5a
                                                                            • Instruction ID: 025fba79a5afffe449226ec8edfc98a8674e121caf39d96b1da50a976b993c92
                                                                            • Opcode Fuzzy Hash: f8f7fb574b01a37347c2b5a7030e5195f98b1542352a9ab3f35e70a1f9b9ac5a
                                                                            • Instruction Fuzzy Hash: AA01FF71640209FBEF249F60DE49FAE37A9FB04345F008039FA06B61D0DBB599568F59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
                                                                            • GlobalFree.KERNEL32(?), ref: 0040284C
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040285F
                                                                            • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                            • String ID:
                                                                            • API String ID: 2667972263-0
                                                                            • Opcode ID: a2aa54484539e5cf0e08f909926563fd1753a777fa44bb9cc822b41f9e16e333
                                                                            • Instruction ID: 78559feecc0fcc9b474bd36237e9e6194516f5e07b3510cecd676cf0fe7807ca
                                                                            • Opcode Fuzzy Hash: a2aa54484539e5cf0e08f909926563fd1753a777fa44bb9cc822b41f9e16e333
                                                                            • Instruction Fuzzy Hash: A4217C72C00224ABCF217FA5CD49DAE7F79EF09364B10823AF520762E1CA7959419F98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?), ref: 00401D58
                                                                            • GetClientRect.USER32(?,?), ref: 00401D9F
                                                                            • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
                                                                            • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
                                                                            • DeleteObject.GDI32(00000000), ref: 00401DF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 2a9a2f0378a9de6d229bce7b6285a7761bf43c3532daafe5d1da7bdf280b3250
                                                                            • Instruction ID: 7a7dd6c208c7a4d57f36c402fdb0fe657614a2e015b6db45afd3f1aca9992802
                                                                            • Opcode Fuzzy Hash: 2a9a2f0378a9de6d229bce7b6285a7761bf43c3532daafe5d1da7bdf280b3250
                                                                            • Instruction Fuzzy Hash: 30215172E00109AFDB05DF98DE44AEEBBB9FB58310F10403AF945F62A1CB789941CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00401E02
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E35
                                                                            • CreateFontIndirectA.GDI32(0040B818), ref: 00401E84
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                            • String ID:
                                                                            • API String ID: 3808545654-0
                                                                            • Opcode ID: 4e2ac4968fbcfc45df335883300c5f964cad547b4711af948e6fa709055a9030
                                                                            • Instruction ID: a7e809a5f5c9b27870585acda152ffb90eb46fec6a88876af75f69e410eeec04
                                                                            • Opcode Fuzzy Hash: 4e2ac4968fbcfc45df335883300c5f964cad547b4711af948e6fa709055a9030
                                                                            • Instruction Fuzzy Hash: A6015672544240AFD7016B74AE4ABA93FB8EB59305F108839F141B61F2C7750505CB9C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: d1a5455d7aacc09bf912e97d7887ce2258fe7abf1a6a230a252a42dd7e2e40c1
                                                                            • Instruction ID: f2250e9d7a54984aac42e0f48c7b57cae310fb8b86675e6ff90c870375dfe4cb
                                                                            • Opcode Fuzzy Hash: d1a5455d7aacc09bf912e97d7887ce2258fe7abf1a6a230a252a42dd7e2e40c1
                                                                            • Instruction Fuzzy Hash: 4D216BB1944208BEEF06AFA4D98AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004048E7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404802,000000DF,00000000,00000400,?), ref: 00404985
                                                                            • wsprintfA.USER32 ref: 0040498D
                                                                            • SetDlgItemTextA.USER32(?,0042A870), ref: 004049A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s
                                                                            • API String ID: 3540041739-3551169577
                                                                            • Opcode ID: 8f52a3d2b7158611b8ddfee5cd82df9920a420a3de20037d500134a76e905cd2
                                                                            • Instruction ID: e3696489e73bdb8ba2be03c53b0d6a47c9a41464d55e6eab91935fd2637341d8
                                                                            • Opcode Fuzzy Hash: 8f52a3d2b7158611b8ddfee5cd82df9920a420a3de20037d500134a76e905cd2
                                                                            • Instruction Fuzzy Hash: 0E11E473A441286BDB10A57D9C41EAF329CDB85374F254237FA26F31D1E978CC2282A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004059A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004059AE
                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040347D,?,00000006,00000008,0000000A), ref: 004059B7
                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004059C8
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004059A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 2659869361-823278215
                                                                            • Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
                                                                            • Instruction ID: 62df29c05e3eff7e61c48a1ee3c1863d20e1198667f6a1bd608fcc747cda2104
                                                                            • Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
                                                                            • Instruction Fuzzy Hash: 90D0A9B2211A30BAE20266259E09ECF2E088F06310B060037F200B21A1CA3D0D1287FE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Close$Enum
                                                                            • String ID:
                                                                            • API String ID: 464197530-0
                                                                            • Opcode ID: effb832a44eae474ef75c518ed00afd6638a3a1b55d5a88c518eff5d822b0912
                                                                            • Instruction ID: 2c23bb11d6ae01cf130d195ddd5538b48d854d6e1d77fd04796d14e07e1bb179
                                                                            • Opcode Fuzzy Hash: effb832a44eae474ef75c518ed00afd6638a3a1b55d5a88c518eff5d822b0912
                                                                            • Instruction Fuzzy Hash: 70116A32504109FBEF129F90DF09B9E7B6DEB54340F204036BD45B61E0E7B59E15ABA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405A41 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(?,?,C:\,?,00405AAD,C:\,C:\,75923410,?,C:\Users\user\AppData\Local\Temp\,004057F8,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A4F
                                                                            • CharNextA.USER32(00000000), ref: 00405A54
                                                                            • CharNextA.USER32(00000000), ref: 00405A68
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext
                                                                            • String ID: C:\
                                                                            • API String ID: 3213498283-3404278061
                                                                            • Opcode ID: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
                                                                            • Instruction ID: 984e8433726efb403dd44e64a223cc5f2fc3fa985c42d0e1b55ccc4b068145f6
                                                                            • Opcode Fuzzy Hash: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
                                                                            • Instruction Fuzzy Hash: F9F06251B04F656AFB2292744C94B7B5B8CCB55361F184667D980662C282784C418FAA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
                                                                            • GetTickCount.KERNEL32 ref: 00402D91
                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402DBC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: 92830607251259d7b21fa7f6a4b037c479e5f1f9739c9a057c3e932900ba9aab
                                                                            • Instruction ID: 761b86bf19c83071f88326f4280a43ff42c19d235faedd25f12e3078a496723d
                                                                            • Opcode Fuzzy Hash: 92830607251259d7b21fa7f6a4b037c479e5f1f9739c9a057c3e932900ba9aab
                                                                            • Instruction Fuzzy Hash: 62F0F431A05621ABC6217B64BE4C9DF7A64BB04B11B51047AF545B22E4DB744C878BAC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269
                                                                            Strings
                                                                            • C:\Program Files (x86)\Windows Provisioning, xrefs: 004021FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                            • String ID: C:\Program Files (x86)\Windows Provisioning
                                                                            • API String ID: 123533781-401443821
                                                                            • Opcode ID: cf4befc47563f774fc358faa8388fb8f5b1703afdd10f80262d3b658bae61c2e
                                                                            • Instruction ID: 754b6e0833e3014b2c682637ef6945f2e05814b0a8fe180c789646af90cdafbf
                                                                            • Opcode Fuzzy Hash: cf4befc47563f774fc358faa8388fb8f5b1703afdd10f80262d3b658bae61c2e
                                                                            • Instruction Fuzzy Hash: DD510771A00209AFCB04DFE4C988A9D7BB5EF48314F2045BAF515EB2D1DB799941CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004050AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 004050DA
                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 0040512B
                                                                              • Part of subcall function 004040EA: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004040FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3748168415-3916222277
                                                                            • Opcode ID: e888eab98be9719f5677808cf14d784dfa63dd3181dd39c0deeb7150e6d77b2f
                                                                            • Instruction ID: 77e6a5b3f6bfc6627eb61d09ca0671ae0e6a579f7b3ef645513b94fc1d41cd39
                                                                            • Opcode Fuzzy Hash: e888eab98be9719f5677808cf14d784dfa63dd3181dd39c0deeb7150e6d77b2f
                                                                            • Instruction Fuzzy Hash: FD017171600648ABDF206F11DD81A5B3B65EB84750F144036FA417A1D2D73A8C629F6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004059EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming\Windows Provisioning,00402E30,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 004059F5
                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Roaming\Windows Provisioning,00402E30,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,C:\Users\user\AppData\Roaming\Windows Provisioning\main_installer.exe,80000000,00000003), ref: 00405A03
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\Windows Provisioning, xrefs: 004059EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrlen
                                                                            • String ID: C:\Users\user\AppData\Roaming\Windows Provisioning
                                                                            • API String ID: 2709904686-2535408887
                                                                            • Opcode ID: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
                                                                            • Instruction ID: 7185998fb8cc4c4ccda179d560b4c8302004e2739ffdff7e1043df3a51136750
                                                                            • Opcode Fuzzy Hash: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
                                                                            • Instruction Fuzzy Hash: E6D0C7B3519DB06EE30392549D04B9F6A48DF16710F094566E181A6195C6784D424BED
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B0E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1E
                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B36
                                                                            • CharNextA.USER32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B47
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405D69,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B50
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2119588577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.2119573088.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119605481.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.000000000042B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000430000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119624475.0000000000435000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2119692686.000000000043F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_main_installer.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
                                                                            • Instruction ID: 0197496b5d832c36441f5dd9a15c5c44ab4bce902fcb82863052ee0cfca36748
                                                                            • Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
                                                                            • Instruction Fuzzy Hash: C9F0C231600418BFC7029BA5DD00D9EBBB8DF06250B2540BAE840F7210D634FE019BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:24.6%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:3.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:9
                                                                            execution_graph 14077 5ba580 14078 5ba58a fclose 14077->14078 14079 5ba594 14077->14079 14078->14079 14080 5ce171 14081 5ce17d ___scrt_is_nonwritable_in_current_image 14080->14081 14101 5ce47f 14081->14101 14083 5ce184 14085 5ce1ad 14083->14085 14324 5cea95 IsProcessorFeaturePresent 14083->14324 14086 5ce1b1 _initterm_e 14085->14086 14090 5ce1fa ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 14085->14090 14087 5ce1dd _initterm 14086->14087 14088 5ce1cc ___scrt_is_nonwritable_in_current_image ___scrt_uninitialize_crt 14086->14088 14087->14090 14089 5ce24d 14105 5cebb0 memset GetStartupInfoW 14089->14105 14090->14089 14093 5ce245 _register_thread_local_exe_atexit_callback 14090->14093 14093->14089 14102 5ce488 14101->14102 14328 5ced2b IsProcessorFeaturePresent 14102->14328 14104 5ce494 ___scrt_uninitialize_crt 14104->14083 14106 5ce252 _get_wide_winmain_command_line 14105->14106 14107 5b26b0 14106->14107 14330 5bd110 14107->14330 14114 5ce041 new 4 API calls 14115 5b274d 14114->14115 16243 5b6a80 14115->16243 14117 5b2770 14118 5b27b8 memset wcstombs 14117->14118 14393 5b4270 14118->14393 14120 5b27ff 14121 5b4270 18 API calls 14120->14121 14122 5b282a 14121->14122 14123 5b4270 18 API calls 14122->14123 14124 5b285b strtok 14123->14124 14125 5b2a57 14124->14125 14140 5b287f 14124->14140 14126 5b2a62 OleInitialize 14125->14126 14128 5b2620 117 API calls 14126->14128 14130 5b2a7d _stat64i32 14128->14130 14133 5b2a98 remove 14130->14133 14134 5b2ab3 14130->14134 14131 5b28a9 Sleep 14131->14140 14132 5b28dc strncmp 14135 5b2928 strncmp 14132->14135 14132->14140 14136 5b2620 117 API calls 14133->14136 14417 5b8300 14134->14417 14137 5b295b strncmp 14135->14137 14138 5b2939 atoi 14135->14138 14136->14134 14137->14140 14142 5b29ab strncmp 14137->14142 14138->14140 14141 5b2a36 strtok 14138->14141 14140->14140 14140->14141 14147 5b4270 18 API calls 14140->14147 14409 5b2620 14140->14409 16246 5ba430 remove 14140->16246 14141->14125 14141->14140 14142->14140 14143 5b29f8 strncmp 14142->14143 14143->14141 14150 5b2a09 atoi 14143->14150 14146 5b2b65 OleUninitialize 14148 5b2620 117 API calls 14146->14148 14147->14140 14151 5b2b86 14148->14151 14149 5b4270 18 API calls 14152 5b2ae7 _stat64i32 14149->14152 14150->14141 14153 5b2620 117 API calls 14151->14153 14434 5ba4b0 fopen 14152->14434 14155 5b2b9f 14153->14155 14156 5ce041 new 4 API calls 14155->14156 14157 5b2bad memset 14156->14157 14449 5bcae0 14157->14449 14162 5b2b23 14162->14146 14439 5b4770 14162->14439 14172 5b2c18 15047 5bd1a0 14172->15047 14175 5b2c2a 15057 5c22d0 14175->15057 14178 5b2c4d SetEvent CloseHandle 14180 5b2c7a 14178->14180 14179 5b2c64 GetLastError 14181 5b2590 117 API calls 14179->14181 14182 5bd1a0 19 API calls 14180->14182 14181->14180 14183 5b2c92 14182->14183 14184 5c22d0 147 API calls 14183->14184 14185 5b2c97 14184->14185 14186 5bd1a0 19 API calls 14185->14186 14187 5b2ca9 14186->14187 14188 5c22d0 147 API calls 14187->14188 14189 5b2cae CreateEventW 14188->14189 14190 5b2ccc GetLastError 14189->14190 14191 5b2ce7 SetEvent Sleep CloseHandle 14189->14191 14193 5b2590 117 API calls 14190->14193 14192 5b2ce2 14191->14192 15106 5c8220 CreateEventW 14192->15106 14193->14192 14195 5b2d06 CreateEventW 14196 5b2d42 SetEvent Sleep CloseHandle 14195->14196 14197 5b2d21 GetLastError 14195->14197 14199 5b2d5e Sleep 14196->14199 14198 5b2590 117 API calls 14197->14198 14200 5b2d37 14198->14200 14201 5bd1a0 19 API calls 14199->14201 14200->14199 14202 5b2d74 14201->14202 15149 5c2100 14202->15149 14205 5bd1a0 19 API calls 14206 5b2d8b 14205->14206 14207 5c2100 129 API calls 14206->14207 14208 5b2d90 14207->14208 15176 5c0e10 14208->15176 14213 5b31e5 15243 5c8470 SendMessageTimeoutW Sleep memset 14213->15243 14214 5b2de5 Process32FirstW 14215 5b3122 FindCloseChangeNotification 14214->14215 14256 5b2e05 14214->14256 14230 5b3130 14215->14230 14227 5b4270 18 API calls 14227->14230 14230->14213 14230->14227 14244 5b318c 14230->14244 16271 5b2330 14230->16271 14236 5b2ec8 tolower 14236->14256 14244->14230 14248 5b4770 4 API calls 14244->14248 14248->14244 14251 5b4770 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 14251->14256 14253 5b3107 Process32NextW 14253->14215 14253->14256 14254 5bd1a0 19 API calls 14254->14256 14256->14236 14256->14251 14256->14253 14256->14254 14257 5b30cf ?_Xlength_error@std@@YAXPBD 14256->14257 14258 5b4770 4 API calls 14256->14258 15216 5b40e0 14256->15216 15228 5b6f70 14256->15228 16257 5b4710 14256->16257 16268 5b50c0 14256->16268 14257->14256 14258->14253 14325 5ceaab 14324->14325 14326 5ceab0 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14324->14326 14325->14326 14327 5ceb9d 14326->14327 14327->14083 14329 5ced51 14328->14329 14329->14104 16308 5bd010 14330->16308 14333 5b4f40 18 API calls 14334 5bd162 14333->14334 14335 5bd177 14334->14335 14336 5b4770 4 API calls 14334->14336 14337 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14335->14337 14336->14335 14338 5b2703 14337->14338 14339 5ce041 14338->14339 14340 5ce065 malloc 14339->14340 14341 5ce046 _callnewh 14340->14341 14342 5b2711 14340->14342 14341->14340 14345 5ce053 14341->14345 14346 5b52a0 14342->14346 14345->14340 16364 5ce970 14345->16364 16367 5ce953 14345->16367 14347 5b52fa 14346->14347 14348 5b4270 18 API calls 14347->14348 14349 5b5383 14348->14349 14350 5b4270 18 API calls 14349->14350 14351 5b5392 14350->14351 14352 5b4270 18 API calls 14351->14352 14353 5b53a1 14352->14353 14354 5b53e5 14353->14354 14357 5b53b9 GetFileAttributesA 14353->14357 14355 5b5405 14354->14355 14359 5b53fd GetFileAttributesA 14354->14359 14356 5b5581 14355->14356 14360 5b4370 16 API calls 14355->14360 14358 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14356->14358 14361 5b53c1 14357->14361 14362 5b2737 14358->14362 14359->14355 14363 5b5432 14360->14363 14361->14354 14364 5b53d1 _mkdir 14361->14364 14362->14114 14362->14117 14365 5b5460 14363->14365 14368 5b4490 17 API calls 14363->14368 14364->14354 14366 5b53df _errno 14364->14366 16372 5b5b60 GetLocalTime 14365->16372 14366->14354 14368->14365 14370 5b45b0 14 API calls 14371 5b5479 14370->14371 14372 5b548f GetFileAttributesA 14371->14372 14373 5b4770 4 API calls 14371->14373 14374 5b54aa _mkdir 14372->14374 14375 5b54a6 14372->14375 14373->14372 14376 5b54c9 14374->14376 14377 5b54c3 _errno 14374->14377 14375->14374 14375->14376 14378 5b4490 17 API calls 14376->14378 14377->14376 14379 5b54d8 14378->14379 14380 5b4f90 19 API calls 14379->14380 14381 5b54e8 14380->14381 14382 5b6350 15 API calls 14381->14382 14383 5b54fa 14382->14383 14384 5b5539 14383->14384 14386 5b4770 4 API calls 14383->14386 14390 5b5514 14383->14390 14385 5b554b 14384->14385 14387 5b4770 4 API calls 14384->14387 14388 5b4770 4 API calls 14385->14388 14389 5b556f 14385->14389 14386->14390 14387->14385 14388->14389 14389->14356 14391 5b4770 4 API calls 14389->14391 16379 5b46a0 14390->16379 14391->14356 14394 5b427e 14393->14394 14395 5b42d5 14393->14395 14394->14395 14401 5b42a4 14394->14401 14396 5b42e9 14395->14396 14397 5b42de ?_Xlength_error@std@@YAXPBD 14395->14397 14398 5b42f9 14396->14398 14400 5b4cd0 10 API calls 14396->14400 14397->14396 14399 5b430b 14398->14399 14402 5b4334 memmove 14398->14402 14399->14120 14400->14398 14403 5b42a9 14401->14403 14404 5b42bf 14401->14404 14402->14399 14405 5b4370 16 API calls 14403->14405 14406 5b4370 16 API calls 14404->14406 14407 5b42b9 14405->14407 14408 5b42cf 14406->14408 14407->14120 14408->14120 14410 5b2650 14409->14410 14415 5b267d 14409->14415 14411 5ce041 new 4 API calls 14410->14411 14412 5b2657 14411->14412 14414 5b6a80 5 API calls 14412->14414 14413 5b269e strncmp 14413->14131 14413->14132 14414->14415 14415->14413 16387 5b6c80 14415->16387 14418 5b4270 18 API calls 14417->14418 14419 5b834c 14418->14419 14420 5b4270 18 API calls 14419->14420 14421 5b8374 14420->14421 14422 5b4370 16 API calls 14421->14422 14423 5b83aa 14422->14423 14424 5b4370 16 API calls 14423->14424 14425 5b83dd 14424->14425 17050 5b8440 14425->17050 14428 5b83ff 14430 5b8423 14428->14430 14431 5b4770 4 API calls 14428->14431 14429 5b4770 4 API calls 14429->14428 14432 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14430->14432 14431->14430 14433 5b2abe 14432->14433 14433->14146 14433->14149 14435 5ba4c9 14434->14435 14436 5ba525 14434->14436 14437 5ce041 new 4 API calls 14435->14437 14436->14162 14438 5ba4d0 14437->14438 14438->14162 14440 5b477f 14439->14440 14448 5b47ae 14439->14448 14441 5b4789 14440->14441 14442 5b4783 _invalid_parameter_noinfo_noreturn 14440->14442 14443 5b4790 _invalid_parameter_noinfo_noreturn 14441->14443 14444 5b4796 14441->14444 14442->14441 14443->14444 14445 5b479d _invalid_parameter_noinfo_noreturn 14444->14445 14446 5b47a3 14444->14446 14445->14446 14447 5b47a8 _invalid_parameter_noinfo_noreturn 14446->14447 14446->14448 14447->14448 14448->14146 17140 5b9440 14449->17140 14453 5bcbee 14454 5b40e0 20 API calls 14453->14454 14455 5bcc26 14454->14455 14456 5b40e0 20 API calls 14455->14456 14457 5bcc49 14456->14457 14458 5b6220 16 API calls 14457->14458 14459 5bcc58 14458->14459 14460 5b6140 18 API calls 14459->14460 14461 5bcc77 14460->14461 14462 5ce041 new 4 API calls 14461->14462 14463 5bcc7e 14462->14463 14464 5b40e0 20 API calls 14463->14464 14465 5bccb8 14464->14465 14466 5b4810 18 API calls 14465->14466 14467 5bccec 14466->14467 17143 5c7460 14467->17143 14472 5bcd52 14473 5bcd68 14472->14473 14475 5b4770 4 API calls 14472->14475 17163 5bd250 GetWindowsDirectoryA 14473->17163 14474 5bcd29 14479 5b46a0 memmove 14474->14479 14475->14473 14477 5b4770 4 API calls 14477->14474 14479->14472 14480 5bcdb3 14481 5bcdc9 14480->14481 14483 5b4770 4 API calls 14480->14483 14484 5bd460 24 API calls 14481->14484 14482 5bcd8b 14487 5b46a0 memmove 14482->14487 14483->14481 14486 5bcdd1 14484->14486 14485 5b4770 4 API calls 14485->14482 14488 5bce0d 14486->14488 14490 5bcde8 14486->14490 14493 5b4770 4 API calls 14486->14493 14487->14480 14489 5bce23 14488->14489 14491 5b4770 4 API calls 14488->14491 14492 5bd460 24 API calls 14489->14492 14495 5b46a0 memmove 14490->14495 14491->14489 14494 5bce2b 14492->14494 14493->14490 14496 5bce67 14494->14496 14498 5bce42 14494->14498 14501 5b4770 4 API calls 14494->14501 14495->14488 14497 5bce79 14496->14497 14499 5b4770 4 API calls 14496->14499 14500 5bce8b 14497->14500 14502 5b4710 5 API calls 14497->14502 14505 5b46a0 memmove 14498->14505 14499->14497 14503 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14500->14503 14501->14498 14502->14500 14504 5b2bd0 14503->14504 14506 5bdf50 14504->14506 14505->14496 14507 5b4f90 19 API calls 14506->14507 14508 5bdf90 14507->14508 14509 5b6350 15 API calls 14508->14509 14510 5bdfa6 14509->14510 14511 5b4f40 18 API calls 14510->14511 14512 5bdfb9 14511->14512 14513 5bdfce 14512->14513 14514 5b4770 4 API calls 14512->14514 14515 5bdff6 14513->14515 14516 5b4770 4 API calls 14513->14516 14514->14513 14517 5b4f90 19 API calls 14515->14517 14516->14515 14518 5be022 14517->14518 14519 5b6350 15 API calls 14518->14519 14520 5be038 14519->14520 14521 5b4f40 18 API calls 14520->14521 14522 5be04e 14521->14522 14523 5b6350 15 API calls 14522->14523 14524 5be064 14523->14524 17174 5c62e0 14524->17174 14526 5be082 14527 5be0c6 14526->14527 14528 5be0a1 14526->14528 14531 5b4770 4 API calls 14526->14531 14529 5be0db 14527->14529 14532 5b4770 4 API calls 14527->14532 14537 5b46a0 memmove 14528->14537 14530 5be108 14529->14530 14533 5b4770 4 API calls 14529->14533 14534 5be13b 14530->14534 14535 5b4770 4 API calls 14530->14535 14531->14528 14532->14529 14533->14530 14536 5be16c 14534->14536 14538 5b4770 4 API calls 14534->14538 14535->14534 14539 5b6380 16 API calls 14536->14539 14537->14527 14538->14536 14540 5be186 14539->14540 14541 5c62e0 9 API calls 14540->14541 14542 5be1a4 14541->14542 14543 5be1e8 14542->14543 14545 5be1c3 14542->14545 14548 5b4770 4 API calls 14542->14548 14544 5be1fe 14543->14544 14546 5b4770 4 API calls 14543->14546 14547 5b6380 16 API calls 14544->14547 14550 5b46a0 memmove 14545->14550 14546->14544 14549 5be218 14547->14549 14548->14545 14551 5c62e0 9 API calls 14549->14551 14550->14543 14552 5be236 14551->14552 14553 5be27a 14552->14553 14555 5be255 14552->14555 14558 5b4770 4 API calls 14552->14558 14554 5be290 14553->14554 14556 5b4770 4 API calls 14553->14556 14557 5b6380 16 API calls 14554->14557 14560 5b46a0 memmove 14555->14560 14556->14554 14559 5be2aa 14557->14559 14558->14555 14561 5c62e0 9 API calls 14559->14561 14560->14553 14562 5be2c8 14561->14562 14563 5be30c 14562->14563 14565 5be2e7 14562->14565 14568 5b4770 4 API calls 14562->14568 14564 5be322 14563->14564 14566 5b4770 4 API calls 14563->14566 14567 5b6380 16 API calls 14564->14567 14570 5b46a0 memmove 14565->14570 14566->14564 14569 5be33c 14567->14569 14568->14565 14571 5c62e0 9 API calls 14569->14571 14570->14563 14572 5be35a 14571->14572 14573 5be39e 14572->14573 14575 5be379 14572->14575 14578 5b4770 4 API calls 14572->14578 14574 5be3b4 14573->14574 14576 5b4770 4 API calls 14573->14576 14577 5b6380 16 API calls 14574->14577 14580 5b46a0 memmove 14575->14580 14576->14574 14579 5be3ce 14577->14579 14578->14575 14581 5c62e0 9 API calls 14579->14581 14580->14573 14582 5be3ec 14581->14582 14583 5be430 14582->14583 14585 5be40b 14582->14585 14588 5b4770 4 API calls 14582->14588 14584 5be446 14583->14584 14586 5b4770 4 API calls 14583->14586 14587 5b6380 16 API calls 14584->14587 14590 5b46a0 memmove 14585->14590 14586->14584 14589 5be460 14587->14589 14588->14585 14591 5c62e0 9 API calls 14589->14591 14590->14583 14592 5be47e 14591->14592 14593 5be4c2 14592->14593 14595 5be49d 14592->14595 14598 5b4770 4 API calls 14592->14598 14594 5be4d8 14593->14594 14596 5b4770 4 API calls 14593->14596 14597 5b6380 16 API calls 14594->14597 14600 5b46a0 memmove 14595->14600 14596->14594 14599 5be4f2 14597->14599 14598->14595 14601 5c62e0 9 API calls 14599->14601 14600->14593 14602 5be510 14601->14602 14603 5be554 14602->14603 14605 5be52f 14602->14605 14608 5b4770 4 API calls 14602->14608 14604 5be56a 14603->14604 14606 5b4770 4 API calls 14603->14606 14607 5b6380 16 API calls 14604->14607 14610 5b46a0 memmove 14605->14610 14606->14604 14609 5be584 14607->14609 14608->14605 14611 5c62e0 9 API calls 14609->14611 14610->14603 14612 5be5a2 14611->14612 14613 5be5e6 14612->14613 14615 5be5c1 14612->14615 14618 5b4770 4 API calls 14612->14618 14614 5be5fc 14613->14614 14616 5b4770 4 API calls 14613->14616 14617 5b6380 16 API calls 14614->14617 14620 5b46a0 memmove 14615->14620 14616->14614 14619 5be616 14617->14619 14618->14615 14621 5c62e0 9 API calls 14619->14621 14620->14613 14622 5be634 14621->14622 14623 5be678 14622->14623 14625 5be653 14622->14625 14628 5b4770 4 API calls 14622->14628 14624 5be68e 14623->14624 14626 5b4770 4 API calls 14623->14626 14627 5b4f90 19 API calls 14624->14627 14630 5b46a0 memmove 14625->14630 14626->14624 14629 5be6a8 14627->14629 14628->14625 14631 5c62e0 9 API calls 14629->14631 14630->14623 14632 5be6c6 14631->14632 14633 5be70a 14632->14633 14635 5be6e5 14632->14635 14638 5b4770 4 API calls 14632->14638 14634 5be720 14633->14634 14636 5b4770 4 API calls 14633->14636 14637 5c62e0 9 API calls 14634->14637 14640 5b46a0 memmove 14635->14640 14636->14634 14639 5be73f 14637->14639 14638->14635 14641 5b4370 16 API calls 14639->14641 14640->14633 14642 5be756 14641->14642 14643 5c62e0 9 API calls 14642->14643 14644 5be775 14643->14644 14645 5b4370 16 API calls 14644->14645 14646 5be78c 14645->14646 14647 5c62e0 9 API calls 14646->14647 14648 5be7ab 14647->14648 14649 5b4370 16 API calls 14648->14649 14650 5be7c2 14649->14650 14651 5c62e0 9 API calls 14650->14651 14652 5be7e1 14651->14652 14653 5b4370 16 API calls 14652->14653 14654 5be7f8 14653->14654 14655 5c62e0 9 API calls 14654->14655 14656 5be817 14655->14656 14657 5b4370 16 API calls 14656->14657 14658 5be82e 14657->14658 14659 5c62e0 9 API calls 14658->14659 14660 5be84d 14659->14660 14661 5b4370 16 API calls 14660->14661 14662 5be864 14661->14662 14663 5c62e0 9 API calls 14662->14663 14664 5be883 14663->14664 14665 5b4270 18 API calls 14664->14665 14666 5be898 14665->14666 14667 5c62e0 9 API calls 14666->14667 14668 5be8b7 14667->14668 14669 5b4270 18 API calls 14668->14669 14670 5be8cc 14669->14670 14671 5be8de 14670->14671 14672 5b4770 4 API calls 14670->14672 14673 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14671->14673 14672->14671 14674 5b2be9 14673->14674 14675 5be9b0 14674->14675 14676 5b2620 117 API calls 14675->14676 14677 5be9fd 14676->14677 14678 5b4f90 19 API calls 14677->14678 14679 5bea10 14678->14679 14680 5b6350 15 API calls 14679->14680 14681 5bea29 14680->14681 14682 5b4f40 18 API calls 14681->14682 14683 5bea3f 14682->14683 14684 5bea5a 14683->14684 14685 5b4770 4 API calls 14683->14685 14686 5bea91 14684->14686 14687 5b4770 4 API calls 14684->14687 14685->14684 14688 5b4f90 19 API calls 14686->14688 14687->14686 14689 5beac7 14688->14689 14690 5b6350 15 API calls 14689->14690 14691 5beada 14690->14691 14692 5b4f40 18 API calls 14691->14692 14693 5beaf0 14692->14693 14694 5b6350 15 API calls 14693->14694 14695 5beb06 14694->14695 14696 5beb21 14695->14696 14697 5b4770 4 API calls 14695->14697 14698 5beb4e 14696->14698 14699 5b4770 4 API calls 14696->14699 14697->14696 14700 5beb79 14698->14700 14701 5b4770 4 API calls 14698->14701 14699->14698 14702 5b6380 16 API calls 14700->14702 14701->14700 14703 5beba4 14702->14703 14704 5b6380 16 API calls 14703->14704 14705 5bebbe 14704->14705 14706 5b4270 18 API calls 14705->14706 14707 5bebe6 14706->14707 14708 5b4270 18 API calls 14707->14708 14709 5bec0b 14708->14709 14710 5b4270 18 API calls 14709->14710 14711 5bec30 14710->14711 17238 5c7770 14711->17238 14714 5becbc 14718 5bee99 14714->14718 14719 5bed39 14714->14719 17291 5c72a0 14714->17291 14716 5befc3 14720 5b2620 117 API calls 14716->14720 14717 5bec9e 17285 5bc940 14717->17285 14722 5b4370 16 API calls 14718->14722 14726 5bef01 14718->14726 14719->14718 14723 5bee31 14719->14723 14738 5c72a0 25 API calls 14719->14738 14725 5befd7 14720->14725 14730 5beefc 14722->14730 14723->14718 14735 5c72a0 25 API calls 14723->14735 14732 5befec 14725->14732 14740 5b4770 4 API calls 14725->14740 14727 5b4370 16 API calls 14726->14727 14729 5bef62 14726->14729 14733 5bef5d 14727->14733 14729->14716 14736 5b4370 16 API calls 14729->14736 17314 5bfd10 _stat64i32 14730->17314 14734 5bf010 14732->14734 14742 5b4770 4 API calls 14732->14742 14741 5bfd10 120 API calls 14733->14741 14743 5bf034 14734->14743 14748 5b4770 4 API calls 14734->14748 14744 5bee40 14735->14744 14745 5befbe 14736->14745 14746 5bed60 14738->14746 14740->14732 14741->14729 14742->14734 14749 5bf05e 14743->14749 14755 5b4770 4 API calls 14743->14755 14750 5c6240 17 API calls 14744->14750 14751 5bfd10 120 API calls 14745->14751 14752 5b4f90 19 API calls 14746->14752 14748->14743 14757 5bf091 14749->14757 14761 5b4770 4 API calls 14749->14761 14756 5bee56 14750->14756 14751->14716 14758 5bed80 14752->14758 14753 5b4f40 18 API calls 14754 5bed0b 14753->14754 14759 5b60c0 5 API calls 14754->14759 14755->14749 14760 5b4f40 18 API calls 14756->14760 14762 5bf0c4 14757->14762 14768 5b4770 4 API calls 14757->14768 14763 5b6350 15 API calls 14758->14763 14766 5bed17 14759->14766 14767 5bee6f 14760->14767 14761->14757 14764 5bf0f7 14762->14764 14769 5b4770 4 API calls 14762->14769 14765 5bed99 14763->14765 14771 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14764->14771 14770 5b4f40 18 API calls 14765->14770 14772 5b3f70 4 API calls 14766->14772 14773 5b60c0 5 API calls 14767->14773 14768->14762 14769->14764 14774 5bedb2 14770->14774 14775 5b2bf0 14771->14775 14776 5bed22 14772->14776 14777 5bee7b 14773->14777 17302 5c6270 14774->17302 14803 5bd4f0 14775->14803 14779 5b3f70 4 API calls 14776->14779 14780 5b3f70 4 API calls 14777->14780 14782 5bed2a 14779->14782 14783 5bee86 14780->14783 14781 5bedc9 14785 5b4f40 18 API calls 14781->14785 14786 5b3f70 4 API calls 14782->14786 14784 5b3f70 4 API calls 14783->14784 14787 5bee91 14784->14787 14788 5bede2 14785->14788 14786->14719 14789 5b3f70 4 API calls 14787->14789 14790 5b60c0 5 API calls 14788->14790 14789->14718 14791 5bedee 14790->14791 14792 5b3f70 4 API calls 14791->14792 14793 5bedf9 14792->14793 14794 5b3f70 4 API calls 14793->14794 14795 5bee01 14794->14795 14796 5b3f70 4 API calls 14795->14796 14797 5bee0c 14796->14797 14798 5b3f70 4 API calls 14797->14798 14799 5bee17 14798->14799 14800 5b3f70 4 API calls 14799->14800 14801 5bee22 14800->14801 14802 5b3f70 4 API calls 14801->14802 14802->14723 14804 5b4f90 19 API calls 14803->14804 14805 5bd533 14804->14805 14806 5b6350 15 API calls 14805->14806 14807 5bd54c 14806->14807 14808 5b4f40 18 API calls 14807->14808 14809 5bd55f 14808->14809 14810 5bd577 14809->14810 14811 5b4770 4 API calls 14809->14811 14812 5bd5a8 14810->14812 14813 5b4770 4 API calls 14810->14813 14811->14810 14814 5b6380 16 API calls 14812->14814 14813->14812 14815 5bd5dd 14814->14815 14816 5c62e0 9 API calls 14815->14816 14817 5bd5fb 14816->14817 14818 5bd63f 14817->14818 14819 5bd61a 14817->14819 14821 5b4770 4 API calls 14817->14821 14820 5bd655 14818->14820 14822 5b4770 4 API calls 14818->14822 14825 5b46a0 memmove 14819->14825 14823 5b6380 16 API calls 14820->14823 14821->14819 14822->14820 14824 5bd66f 14823->14824 14826 5c62e0 9 API calls 14824->14826 14825->14818 14827 5bd68d 14826->14827 14828 5bd6d1 14827->14828 14829 5bd6ac 14827->14829 14831 5b4770 4 API calls 14827->14831 14830 5bd6e7 14828->14830 14832 5b4770 4 API calls 14828->14832 14835 5b46a0 memmove 14829->14835 14833 5b6380 16 API calls 14830->14833 14831->14829 14832->14830 14834 5bd701 14833->14834 14836 5c62e0 9 API calls 14834->14836 14835->14828 14837 5bd71f 14836->14837 14838 5bd763 14837->14838 14839 5bd73e 14837->14839 14841 5b4770 4 API calls 14837->14841 14840 5bd779 14838->14840 14842 5b4770 4 API calls 14838->14842 14845 5b46a0 memmove 14839->14845 14843 5b6380 16 API calls 14840->14843 14841->14839 14842->14840 14844 5bd793 14843->14844 14846 5c62e0 9 API calls 14844->14846 14845->14838 14847 5bd7b1 14846->14847 14848 5bd7f5 14847->14848 14849 5bd7d0 14847->14849 14851 5b4770 4 API calls 14847->14851 14850 5bd80b 14848->14850 14852 5b4770 4 API calls 14848->14852 14855 5b46a0 memmove 14849->14855 14853 5b6380 16 API calls 14850->14853 14851->14849 14852->14850 14854 5bd825 14853->14854 14856 5c62e0 9 API calls 14854->14856 14855->14848 14857 5bd843 14856->14857 14858 5bd887 14857->14858 14859 5bd862 14857->14859 14861 5b4770 4 API calls 14857->14861 14860 5bd89d 14858->14860 14862 5b4770 4 API calls 14858->14862 14865 5b46a0 memmove 14859->14865 14863 5b6380 16 API calls 14860->14863 14861->14859 14862->14860 14864 5bd8b7 14863->14864 14866 5c62e0 9 API calls 14864->14866 14865->14858 14867 5bd8d5 14866->14867 14868 5bd919 14867->14868 14869 5bd8f4 14867->14869 14871 5b4770 4 API calls 14867->14871 14870 5bd92f 14868->14870 14872 5b4770 4 API calls 14868->14872 14875 5b46a0 memmove 14869->14875 14873 5b6380 16 API calls 14870->14873 14871->14869 14872->14870 14874 5bd949 14873->14874 14876 5c62e0 9 API calls 14874->14876 14875->14868 14877 5bd967 14876->14877 14878 5bd9ab 14877->14878 14879 5bd986 14877->14879 14881 5b4770 4 API calls 14877->14881 14880 5bd9c1 14878->14880 14882 5b4770 4 API calls 14878->14882 14885 5b46a0 memmove 14879->14885 14883 5b6380 16 API calls 14880->14883 14881->14879 14882->14880 14884 5bd9db 14883->14884 14886 5c62e0 9 API calls 14884->14886 14885->14878 14887 5bd9f9 14886->14887 14888 5bda3d 14887->14888 14889 5bda18 14887->14889 14891 5b4770 4 API calls 14887->14891 14890 5bda53 14888->14890 14892 5b4770 4 API calls 14888->14892 14895 5b46a0 memmove 14889->14895 14893 5b4f90 19 API calls 14890->14893 14891->14889 14892->14890 14894 5bda6d 14893->14894 14896 5c62e0 9 API calls 14894->14896 14895->14888 14897 5bda8b 14896->14897 14898 5bdacf 14897->14898 14899 5bdaaa 14897->14899 14901 5b4770 4 API calls 14897->14901 14900 5bdae5 14898->14900 14902 5b4770 4 API calls 14898->14902 14905 5b46a0 memmove 14899->14905 14903 5c62e0 9 API calls 14900->14903 14901->14899 14902->14900 14904 5bdb04 14903->14904 14906 5b4370 16 API calls 14904->14906 14905->14898 14907 5bdb1b 14906->14907 14908 5c62e0 9 API calls 14907->14908 14909 5bdb3a 14908->14909 14910 5b4370 16 API calls 14909->14910 14911 5bdb51 14910->14911 14912 5c62e0 9 API calls 14911->14912 14913 5bdb70 14912->14913 14914 5b4370 16 API calls 14913->14914 14915 5bdb87 14914->14915 14916 5c62e0 9 API calls 14915->14916 14917 5bdba6 14916->14917 14918 5b4370 16 API calls 14917->14918 14919 5bdbbd 14918->14919 14920 5c62e0 9 API calls 14919->14920 14921 5bdbdc 14920->14921 14922 5b4370 16 API calls 14921->14922 14923 5bdbf3 14922->14923 14924 5c62e0 9 API calls 14923->14924 14925 5bdc12 14924->14925 14926 5b4370 16 API calls 14925->14926 14927 5bdc29 14926->14927 14928 5c62e0 9 API calls 14927->14928 14929 5bdc48 14928->14929 14930 5b4270 18 API calls 14929->14930 14931 5bdc5d 14930->14931 14932 5c62e0 9 API calls 14931->14932 14933 5bdc7c 14932->14933 14934 5b4270 18 API calls 14933->14934 14935 5bdc91 14934->14935 14936 5b6380 16 API calls 14935->14936 14937 5bdcab 14936->14937 14938 5c62e0 9 API calls 14937->14938 14939 5bdcc9 14938->14939 14940 5bdd0d 14939->14940 14941 5bdce8 14939->14941 14943 5b4770 4 API calls 14939->14943 14942 5bdd23 14940->14942 14944 5b4770 4 API calls 14940->14944 14948 5b46a0 memmove 14941->14948 14945 5bddbf 14942->14945 14947 5b6380 16 API calls 14942->14947 14943->14941 14944->14942 14946 5b4f90 19 API calls 14945->14946 14949 5bddcf 14946->14949 14950 5bdd47 14947->14950 14948->14940 14951 5b4f90 19 API calls 14949->14951 14952 5c62e0 9 API calls 14950->14952 14953 5bdde6 14951->14953 14954 5bdd65 14952->14954 14955 5b6350 15 API calls 14953->14955 14956 5bdda9 14954->14956 14958 5bdd84 14954->14958 14960 5b4770 4 API calls 14954->14960 14957 5bddf9 14955->14957 14956->14945 14961 5b4770 4 API calls 14956->14961 14959 5b4f40 18 API calls 14957->14959 14964 5b46a0 memmove 14958->14964 14962 5bde0c 14959->14962 14960->14958 14961->14945 14963 5bde21 14962->14963 14965 5b4770 4 API calls 14962->14965 14966 5bde4b GetFileAttributesA 14963->14966 14967 5b4770 4 API calls 14963->14967 14964->14956 14965->14963 14968 5bde64 14966->14968 14969 5bde78 14966->14969 14967->14966 14968->14969 17450 5ba3e0 RemoveDirectoryA 14968->17450 14971 5bded0 14969->14971 14972 5bdea5 GetFileAttributesA 14969->14972 14975 5bdedf 14971->14975 14976 5b4770 4 API calls 14971->14976 14973 5bdeca 14972->14973 14974 5bdeb6 14972->14974 14973->14971 14974->14973 14978 5ba3e0 3 API calls 14974->14978 14977 5bdf03 14975->14977 14979 5b4770 4 API calls 14975->14979 14976->14975 14980 5bdf27 14977->14980 14982 5b4770 4 API calls 14977->14982 14978->14973 14979->14977 14981 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 14980->14981 14983 5b2bf7 14981->14983 14982->14980 14984 5c1e20 14983->14984 14985 5b2620 117 API calls 14984->14985 14986 5c1e63 OpenSCManagerW 14985->14986 14987 5c20bf GetLastError 14986->14987 14988 5c1e7f 14986->14988 14990 5b2590 117 API calls 14987->14990 14989 5bd1a0 19 API calls 14988->14989 14991 5c1e8c 14989->14991 14992 5c20d5 14990->14992 14993 5bd1a0 19 API calls 14991->14993 14994 5b4270 18 API calls 14992->14994 14995 5c1ea0 14993->14995 14996 5c20f7 14994->14996 14997 5bd1a0 19 API calls 14995->14997 14996->14996 14998 5c1eb1 CreateServiceA 14997->14998 14999 5c1fcb ChangeServiceConfig2W CloseServiceHandle CloseServiceHandle 14998->14999 15000 5c1f02 GetLastError CloseServiceHandle 14998->15000 15003 5c204a 14999->15003 15004 5c2054 14999->15004 15001 5c1f19 15000->15001 15002 5c1f56 15000->15002 15008 5b2590 117 API calls 15001->15008 15007 5c1f68 15002->15007 15010 5b4770 4 API calls 15002->15010 15005 5b4770 4 API calls 15003->15005 15006 5c2078 15004->15006 15009 5b4770 4 API calls 15004->15009 15005->15004 15011 5c20a3 15006->15011 15014 5b4770 4 API calls 15006->15014 15012 5c1f8c 15007->15012 15015 5b4770 4 API calls 15007->15015 15013 5c1f29 15008->15013 15009->15006 15010->15007 15016 5b2620 117 API calls 15011->15016 15017 5c1fb0 15012->15017 15020 5b4770 4 API calls 15012->15020 15018 5b4030 18 API calls 15013->15018 15014->15011 15015->15012 15019 5c20b7 15016->15019 15021 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15017->15021 15022 5c1f38 15018->15022 15019->14987 15020->15017 15024 5b2bfe 15021->15024 15023 5bc940 16 API calls 15022->15023 15025 5c1f45 _CxxThrowException 15023->15025 15026 5c1cd0 15024->15026 15025->15002 15027 5bd1a0 19 API calls 15026->15027 15028 5c1d06 15027->15028 15029 5c1de6 15028->15029 15030 5b2620 117 API calls 15028->15030 15031 5c1dfd 15029->15031 15033 5b4770 4 API calls 15029->15033 15032 5c1d32 OpenSCManagerW 15030->15032 15036 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15031->15036 15034 5c1d4e OpenServiceA 15032->15034 15035 5c1dd0 GetLastError 15032->15035 15033->15031 15038 5c1d6c StartServiceW 15034->15038 15039 5c1daa GetLastError 15034->15039 15037 5b2590 117 API calls 15035->15037 15040 5b2c05 15036->15040 15037->15029 15042 5c1d7d GetLastError 15038->15042 15043 5c1d96 CloseServiceHandle CloseServiceHandle 15038->15043 15041 5b2590 117 API calls 15039->15041 15040->14172 16249 5b2590 15040->16249 15044 5c1dc0 CloseServiceHandle 15041->15044 15045 5b2590 117 API calls 15042->15045 15043->15029 15044->15029 15046 5c1d93 15045->15046 15046->15043 15048 5bd1bf 15047->15048 15049 5bd20f 15048->15049 15050 5bd1e3 15048->15050 15052 5c62e0 9 API calls 15049->15052 15051 5b4270 18 API calls 15050->15051 15053 5bd205 15051->15053 15054 5bd21c 15052->15054 15053->14175 15055 5b4370 16 API calls 15054->15055 15056 5bd242 15055->15056 15056->14175 15058 5b2620 117 API calls 15057->15058 15059 5c2316 OpenSCManagerW 15058->15059 15060 5c261a GetLastError 15059->15060 15061 5c2335 15059->15061 15064 5b2590 117 API calls 15060->15064 15062 5c25fd 15061->15062 15063 5c233f OpenServiceA 15061->15063 15065 5b2590 117 API calls 15062->15065 15066 5c25cd GetLastError 15063->15066 15067 5c235e ChangeServiceConfig2W GetTickCount QueryServiceStatusEx 15063->15067 15068 5c2630 15064->15068 15070 5c260c CloseServiceHandle 15065->15070 15069 5b2590 117 API calls 15066->15069 15071 5c25a6 GetLastError 15067->15071 15090 5c23dd 15067->15090 15075 5b2620 117 API calls 15068->15075 15073 5c25ef CloseServiceHandle 15069->15073 15070->15068 15072 5b2590 117 API calls 15071->15072 15076 5c25bc CloseServiceHandle CloseServiceHandle 15072->15076 15073->15068 15074 5c252a CloseServiceHandle CloseServiceHandle 15074->15068 15078 5c2647 15075->15078 15076->15068 15077 5c2482 ControlService 15080 5c2595 GetLastError 15077->15080 15092 5c2497 15077->15092 15079 5c265c 15078->15079 15081 5b4770 4 API calls 15078->15081 15083 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15079->15083 15082 5c251a 15080->15082 15081->15079 15087 5b2590 117 API calls 15082->15087 15086 5b2c2f CreateEventW 15083->15086 15084 5c2524 15084->15074 15085 5c2423 Sleep QueryServiceStatusEx 15089 5c250e GetLastError 15085->15089 15085->15090 15086->14178 15086->14179 15087->15084 15088 5c24a7 Sleep QueryServiceStatusEx 15091 5c2587 GetLastError 15088->15091 15088->15092 15089->15082 15090->15074 15090->15077 15090->15085 15093 5c245f GetTickCount 15090->15093 15096 5b2620 117 API calls 15090->15096 15101 5c247a 15090->15101 15091->15082 15092->15084 15092->15088 15094 5c2561 15092->15094 15095 5c24d1 GetTickCount 15092->15095 15104 5c24e3 CloseServiceHandle CloseServiceHandle 15092->15104 15093->15090 15097 5c24f7 15093->15097 15098 5b2620 117 API calls 15094->15098 15095->15092 15099 5c253b 15095->15099 15096->15090 15100 5b2590 117 API calls 15097->15100 15103 5c2570 CloseServiceHandle CloseServiceHandle 15098->15103 15102 5b2590 117 API calls 15099->15102 15100->15101 15101->15077 15101->15084 15105 5c254a CloseServiceHandle CloseServiceHandle 15102->15105 15103->15068 15104->15068 15105->15068 15107 5c8248 GetLastError 15106->15107 15108 5c8270 SetEvent CloseHandle RegisterWindowMessageW FindWindowW 15106->15108 15109 5b2590 117 API calls 15107->15109 15110 5c829f PostMessageW 15108->15110 15111 5c82ab 15108->15111 15112 5c825e 15109->15112 15110->15111 15113 5b2620 117 API calls 15111->15113 15115 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15112->15115 15114 5c82ba 15113->15114 15116 5c82c0 OpenMutexW 15114->15116 15117 5c826c 15115->15117 15118 5c830c GetLastError 15116->15118 15119 5c82d8 15116->15119 15117->14195 15121 5b2590 117 API calls 15118->15121 15120 5b2620 117 API calls 15119->15120 15122 5c82e7 CloseHandle Sleep 15120->15122 15123 5c8322 15121->15123 15122->15116 15124 5c8304 15122->15124 15125 5c832b RegGetValueW 15123->15125 15124->15125 15146 5c83cf 15124->15146 15126 5b2620 117 API calls 15125->15126 15131 5c836f 15126->15131 15127 5c83dd GetWindowThreadProcessId 15129 5c8447 GetLastError 15127->15129 15130 5c83f3 15127->15130 15128 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15133 5c846c 15128->15133 15132 5b2620 117 API calls 15129->15132 15134 5c83fa OpenProcess 15130->15134 15136 5c845d 15130->15136 15135 5c837d OpenProcess 15131->15135 15131->15146 15132->15136 15133->14195 15137 5c840c TerminateProcess GetLastError 15134->15137 15138 5c8434 CloseHandle 15134->15138 15139 5c838e TerminateProcess GetLastError 15135->15139 15140 5c83b9 GetLastError 15135->15140 15136->15128 15143 5b2620 117 API calls 15137->15143 15144 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15138->15144 15141 5b2620 117 API calls 15139->15141 15142 5b2590 117 API calls 15140->15142 15145 5c83af CloseHandle 15141->15145 15142->15146 15147 5c842e 15143->15147 15148 5c8443 15144->15148 15145->15146 15146->15127 15146->15136 15147->15138 15148->14195 15150 5b2620 117 API calls 15149->15150 15151 5c2146 OpenSCManagerW 15150->15151 15152 5c226d GetLastError 15151->15152 15153 5c2162 15151->15153 15154 5b2590 117 API calls 15152->15154 15155 5c216b OpenServiceA 15153->15155 15156 5c2250 15153->15156 15158 5c2283 15154->15158 15159 5c218d ChangeServiceConfig2W DeleteService CloseServiceHandle 15155->15159 15160 5c2220 GetLastError 15155->15160 15157 5b2590 117 API calls 15156->15157 15162 5c225f CloseServiceHandle 15157->15162 15166 5b2620 117 API calls 15158->15166 15163 5c21dc 15159->15163 15164 5c2202 GetLastError 15159->15164 15161 5b2590 117 API calls 15160->15161 15165 5c2242 CloseServiceHandle 15161->15165 15162->15158 15167 5b2620 117 API calls 15163->15167 15168 5b2590 117 API calls 15164->15168 15165->15158 15169 5c229a 15166->15169 15170 5c21f7 CloseServiceHandle 15167->15170 15171 5c2218 CloseServiceHandle 15168->15171 15172 5c22af 15169->15172 15173 5b4770 4 API calls 15169->15173 15170->15158 15171->15158 15174 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15172->15174 15173->15172 15175 5b2d79 15174->15175 15175->14205 15177 5bd1a0 19 API calls 15176->15177 15178 5c0e45 15177->15178 15179 5c2100 129 API calls 15178->15179 15180 5c0e4a 15179->15180 15181 5b4270 18 API calls 15180->15181 15182 5c0e75 15181->15182 15183 5c22d0 147 API calls 15182->15183 15184 5c0e7a 15183->15184 15185 5b4270 18 API calls 15184->15185 15186 5c0ea5 15185->15186 15187 5c2100 129 API calls 15186->15187 15188 5c0eaa 15187->15188 15189 5bd010 32 API calls 15188->15189 15190 5c0eb2 15189->15190 15191 5b4f40 18 API calls 15190->15191 15192 5c0ec8 15191->15192 15193 5b4f40 18 API calls 15192->15193 15194 5c0edb 15193->15194 15195 5c0ef0 15194->15195 15196 5b4770 4 API calls 15194->15196 15197 5c0f18 GetFileAttributesA 15195->15197 15200 5b4770 4 API calls 15195->15200 15196->15195 15198 5c0f80 15197->15198 15199 5c0f41 15197->15199 15202 5c0f92 15198->15202 15204 5b4770 4 API calls 15198->15204 15199->15198 15201 5c0f45 15199->15201 15200->15197 17454 5ba790 15201->17454 15205 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15202->15205 15204->15202 15207 5b2d9a Sleep 15205->15207 15213 5b4e60 15207->15213 15214 5ce041 new 4 API calls 15213->15214 15215 5b2dc0 CreateToolhelp32Snapshot 15214->15215 15215->14213 15215->14214 15217 5b4136 15216->15217 15221 5b40ee 15216->15221 15221->15217 15229 5b6f9d 15228->15229 15231 5b6fbc WideCharToMultiByte 15228->15231 15244 5bcae0 58 API calls 15243->15244 15245 5c84e8 15244->15245 16244 5ce041 new 4 API calls 16243->16244 16245 5b6ae2 InitializeCriticalSection 16244->16245 16245->14117 16247 5ba444 MoveFileExA 16246->16247 16248 5ba453 16246->16248 16247->16248 16248->14140 16250 5b25ed 16249->16250 16251 5b25c0 16249->16251 16254 5b260e 16250->16254 16256 5b6c80 116 API calls 16250->16256 16252 5ce041 new 4 API calls 16251->16252 16253 5b25c7 16252->16253 16255 5b6a80 5 API calls 16253->16255 16254->14172 16255->16250 16256->16254 16258 5b4720 _invalid_parameter_noinfo_noreturn 16257->16258 16259 5b4726 16257->16259 16258->16259 16260 5b475f 16259->16260 16261 5b473a 16259->16261 16262 5b4734 _invalid_parameter_noinfo_noreturn 16259->16262 16260->14256 16262->16261 16269 5b4e60 4 API calls 16268->16269 16325 5bd460 SHGetSpecialFolderPathA 16308->16325 16311 5b4f40 18 API calls 16312 5bd063 16311->16312 16331 5b6350 16312->16331 16315 5b4f40 18 API calls 16316 5bd088 16315->16316 16317 5bd09d 16316->16317 16318 5b4770 4 API calls 16316->16318 16319 5bd0c1 16317->16319 16320 5b4770 4 API calls 16317->16320 16318->16317 16321 5bd0e5 16319->16321 16322 5b4770 4 API calls 16319->16322 16320->16319 16323 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16321->16323 16322->16321 16324 5bd0fd 16323->16324 16324->14333 16326 5bd4b3 16325->16326 16326->16326 16327 5b4270 18 API calls 16326->16327 16328 5bd4d8 16327->16328 16329 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16328->16329 16330 5bd04d 16329->16330 16330->16311 16336 5b45b0 16331->16336 16337 5b45d0 16336->16337 16338 5b45c5 ?_Xout_of_range@std@@YAXPBD 16336->16338 16339 5b45e8 ?_Xlength_error@std@@YAXPBD 16337->16339 16340 5b45f3 16337->16340 16338->16337 16339->16340 16341 5b460e 16340->16341 16342 5b4603 ?_Xlength_error@std@@YAXPBD 16340->16342 16346 5b4639 16340->16346 16344 5b461c 16341->16344 16351 5b4cd0 16341->16351 16342->16341 16345 5b4662 memmove 16344->16345 16344->16346 16345->16346 16347 5b3fb0 16346->16347 16348 5b3fd1 16347->16348 16349 5b3fe7 16347->16349 16348->16349 16350 5b3fd9 memmove 16348->16350 16349->16315 16350->16349 16352 5b4d0d 16351->16352 16353 5b4d72 16352->16353 16354 5b4d51 16352->16354 16360 5b4d46 16352->16360 16357 5ce041 new 4 API calls 16353->16357 16355 5b4d58 ?_Xbad_alloc@std@ 16354->16355 16356 5b4d5e 16354->16356 16355->16356 16359 5ce041 new 4 API calls 16356->16359 16357->16360 16358 5b4dc7 16361 5b4770 4 API calls 16358->16361 16363 5b4dd8 16358->16363 16359->16360 16360->16358 16362 5b4dbc memmove 16360->16362 16361->16363 16362->16358 16363->16344 16370 5ce8fd 16364->16370 16366 5ce97e _CxxThrowException 16371 5ce8ca 16367->16371 16369 5ce961 _CxxThrowException 16370->16366 16371->16369 16383 5b5120 16372->16383 16374 5b4270 18 API calls 16376 5b5bda 16374->16376 16375 5b5ba1 16375->16374 16377 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16376->16377 16378 5b5468 16377->16378 16378->14370 16380 5b46b0 16379->16380 16382 5b46c6 16379->16382 16381 5b46b8 memmove 16380->16381 16380->16382 16381->16382 16382->14384 16386 5b2320 16383->16386 16385 5b5138 __stdio_common_vsprintf_s 16385->16375 16386->16385 16388 5b6c8d ___scrt_initialize_default_local_stdio_options 16387->16388 16389 5b6cb9 __stdio_common_vsprintf 16388->16389 16394 5b6c20 16389->16394 16391 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16392 5b6ce8 16391->16392 16392->14413 16395 5b6c3b 16394->16395 16396 5b6c65 16394->16396 16395->16396 16399 5b55b0 16395->16399 16494 5ba740 GetFileAttributesA 16395->16494 16396->16391 16403 5b55cb 16399->16403 16400 5b5b34 16401 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16400->16401 16402 5b5b4c 16401->16402 16402->16395 16403->16400 16404 5b5686 _stat64i32 16403->16404 16405 5b586e _stat64i32 16404->16405 16406 5b56a1 16404->16406 16414 5b59d2 fopen 16405->16414 16415 5b588f 16405->16415 16406->16405 16407 5b56b1 16406->16407 16408 5b4370 16 API calls 16407->16408 16412 5b56df 16408->16412 16410 5b58a9 16410->16414 16583 5b4090 16410->16583 16411 5b571b 16417 5b5b60 25 API calls 16411->16417 16412->16411 16416 5b570b 16412->16416 16414->16400 16418 5b59f3 GetModuleFileNameW _wsplitpath_s wcscat_s 16414->16418 16415->16410 16423 5ba740 GetFileAttributesA 16415->16423 16521 5b3f30 16416->16521 16420 5b5726 16417->16420 16496 5b3ed0 16418->16496 16424 5b45b0 14 API calls 16420->16424 16423->16410 16427 5b573a 16424->16427 16426 5b5a62 16429 5b6f70 21 API calls 16426->16429 16430 5b3f70 4 API calls 16427->16430 16428 5b5901 16431 5b5b60 25 API calls 16428->16431 16432 5b5a7a 16429->16432 16433 5b5749 GetFileAttributesA 16430->16433 16435 5b590c 16431->16435 16503 5b8210 GetLocalTime 16432->16503 16439 5b5769 16433->16439 16434 5b3f30 17 API calls 16434->16428 16437 5b45b0 14 API calls 16435->16437 16440 5b5920 16437->16440 16441 5b5786 16439->16441 16528 5ba760 _mkdir 16439->16528 16444 5b3f70 4 API calls 16440->16444 16443 5b3f30 17 API calls 16441->16443 16446 5b5796 fopen 16443->16446 16447 5b592f 16444->16447 16454 5b581c 16446->16454 16455 5b57b7 16446->16455 16449 5ba740 GetFileAttributesA 16447->16449 16452 5b5948 16449->16452 16450 5b5add 16513 5b3f70 16450->16513 16456 5b5965 16452->16456 16460 5ba760 2 API calls 16452->16460 16531 5b5bf0 16454->16531 16459 5b8210 25 API calls 16455->16459 16461 5b3f30 17 API calls 16456->16461 16464 5b57c2 16459->16464 16460->16456 16465 5b5975 16461->16465 16462 5b3f70 4 API calls 16466 5b5af6 16462->16466 16471 5b5150 __stdio_common_vsprintf 16464->16471 16468 5b6380 16 API calls 16465->16468 16517 5b3e90 16466->16517 16472 5b598a 16468->16472 16475 5b57e1 16471->16475 16476 5b6350 15 API calls 16472->16476 16474 5b6350 15 API calls 16477 5b584d 16474->16477 16478 5b3f70 4 API calls 16475->16478 16479 5b599f 16476->16479 16577 5b60c0 16477->16577 16482 5b57ef fwrite fclose 16478->16482 16483 5b60c0 5 API calls 16479->16483 16482->16454 16484 5b59aa 16483->16484 16486 5b3f70 4 API calls 16484->16486 16489 5b59b5 16486->16489 16487 5b3f70 4 API calls 16490 5b5863 16487->16490 16491 5b3f70 4 API calls 16489->16491 16490->16489 16492 5b59c0 16491->16492 16493 5b3f70 4 API calls 16492->16493 16493->16414 16495 5ba74c 16494->16495 16495->16395 16497 5b3f03 16496->16497 16498 5b3ef1 16496->16498 16501 5b40e0 20 API calls 16497->16501 16499 5b40e0 20 API calls 16498->16499 16500 5b3efc 16499->16500 16500->16426 16502 5b3f29 16501->16502 16502->16426 16504 5b5120 __stdio_common_vsprintf_s 16503->16504 16505 5b8265 16504->16505 16506 5b4270 18 API calls 16505->16506 16507 5b82a5 16506->16507 16508 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16507->16508 16509 5b5a8b GetCurrentProcessId 16508->16509 16510 5b5150 16509->16510 16586 5b2320 16510->16586 16512 5b5168 __stdio_common_vsprintf 16512->16450 16514 5b3f7b 16513->16514 16515 5b3f84 16513->16515 16516 5b4770 4 API calls 16514->16516 16515->16462 16516->16515 16518 5b3e9b 16517->16518 16519 5b3ea4 fwrite fclose 16517->16519 16520 5b4710 5 API calls 16518->16520 16519->16400 16520->16519 16522 5b3f4a 16521->16522 16523 5b3f3c 16521->16523 16526 5b4490 17 API calls 16522->16526 16524 5b4490 17 API calls 16523->16524 16525 5b3f45 16524->16525 16525->16411 16527 5b3f61 16526->16527 16527->16411 16529 5ba77e 16528->16529 16530 5ba771 _errno 16528->16530 16529->16441 16530->16529 16532 5b5c26 _stat64i32 16531->16532 16534 5b5c48 16532->16534 16535 5b5c41 16532->16535 16587 5b7270 16534->16587 16536 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16535->16536 16538 5b5823 16536->16538 16569 5b6380 16538->16569 16539 5b5c61 16600 5bb980 16539->16600 16543 5b5cb7 16544 5b5cf2 16543->16544 16681 5b6140 16543->16681 16693 5b6220 16544->16693 16548 5b6140 18 API calls 16549 5b5d1a 16548->16549 16550 5b6220 16 API calls 16549->16550 16551 5b5d30 16550->16551 16702 5b6460 16551->16702 16553 5b5d71 _wstat64i32 16553->16551 16554 5b5d89 wcsnlen 16553->16554 16705 5b7180 16554->16705 16556 5b5dad 16557 5b7180 21 API calls 16556->16557 16558 5b5dd6 rename 16557->16558 16559 5b5e19 16558->16559 16560 5b5e26 16558->16560 16561 5b4770 4 API calls 16559->16561 16562 5b5e59 16560->16562 16563 5b4770 4 API calls 16560->16563 16561->16560 16564 5b5e8c 16562->16564 16565 5b4710 5 API calls 16562->16565 16563->16562 16718 5b5ef0 16564->16718 16565->16564 16568 5b4710 5 API calls 16568->16535 16572 5b63d8 16569->16572 16570 5b640e 16571 5b45b0 14 API calls 16570->16571 16573 5b6431 16571->16573 16572->16570 17039 5b4930 16572->17039 16575 5b45b0 14 API calls 16573->16575 16576 5b5838 16575->16576 16576->16474 16578 5b60ea 16577->16578 16579 5b5858 16577->16579 16580 5b60fb 16578->16580 16581 5b4770 4 API calls 16578->16581 16579->16487 16582 5b46a0 memmove 16580->16582 16581->16580 16582->16579 16584 5b4370 16 API calls 16583->16584 16585 5b40b3 16584->16585 16585->16428 16585->16434 16586->16512 16588 5b72be MultiByteToWideChar 16587->16588 16589 5b729e 16587->16589 16734 5b7470 16588->16734 16591 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16589->16591 16593 5b72ba 16591->16593 16593->16539 16596 5b734c 16598 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16596->16598 16597 5b4710 5 API calls 16597->16596 16599 5b735b 16598->16599 16599->16539 16601 5bb9c4 16600->16601 16602 5bb9e0 16601->16602 16603 5b4810 18 API calls 16601->16603 16760 5bc500 16602->16760 16603->16602 16608 5bba95 16810 5bb680 16608->16810 16614 5bbb3d 16833 5bb6c0 16614->16833 16619 5bba59 16623 5bba6b 16619->16623 16627 5b4710 5 API calls 16619->16627 16621 5badc0 36 API calls 16625 5bbac0 16621->16625 16622 5bbbe5 16861 5bb700 16622->16861 16623->16608 16633 5b4710 5 API calls 16623->16633 16624 5bba32 16634 5b75c0 memmove 16624->16634 16630 5bbb01 16625->16630 16635 5bbada 16625->16635 16639 5b4710 5 API calls 16625->16639 16627->16623 16629 5b4710 5 API calls 16629->16624 16638 5bbb13 16630->16638 16642 5b4710 5 API calls 16630->16642 16633->16608 16634->16619 16651 5b75c0 memmove 16635->16651 16636 5badc0 36 API calls 16640 5bbb68 16636->16640 16637 5bbc89 16643 5bbc9b 16637->16643 16647 5b4710 5 API calls 16637->16647 16638->16614 16648 5b4710 5 API calls 16638->16648 16639->16635 16645 5bbba9 16640->16645 16652 5bbb82 16640->16652 16655 5b4710 5 API calls 16640->16655 16642->16638 16644 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16643->16644 16650 5b5c7c 16644->16650 16649 5bbbbb 16645->16649 16654 5b4710 5 API calls 16645->16654 16647->16643 16648->16614 16649->16622 16656 5b4710 5 API calls 16649->16656 16666 5b4810 16650->16666 16651->16630 16658 5b75c0 memmove 16652->16658 16653 5badc0 36 API calls 16660 5bbc10 16653->16660 16654->16649 16655->16652 16656->16622 16657 5bbc51 16662 5b4710 5 API calls 16657->16662 16663 5bbc63 16657->16663 16658->16645 16659 5bbc2a 16665 5b75c0 memmove 16659->16665 16660->16657 16660->16659 16661 5b4710 5 API calls 16660->16661 16661->16659 16662->16663 16663->16637 16664 5b4710 5 API calls 16663->16664 16664->16637 16665->16657 16667 5b4830 16666->16667 16668 5b4825 ?_Xout_of_range@std@@YAXPBD 16666->16668 16669 5b4878 16667->16669 16670 5b483e 16667->16670 16668->16667 16673 5b488b 16669->16673 16674 5b4880 ?_Xlength_error@std@@YAXPBD 16669->16674 16671 5b4851 16670->16671 16672 5b4846 ?_Xout_of_range@std@@YAXPBD 16670->16672 16676 5b4c20 2 API calls 16671->16676 16672->16671 16675 5b4a80 12 API calls 16673->16675 16677 5b489b 16673->16677 16674->16673 16675->16677 16678 5b486f 16676->16678 16679 5b48b8 16677->16679 16680 5b48e5 memmove 16677->16680 16678->16543 16679->16543 16680->16679 16682 5b6196 16681->16682 16686 5b614e 16681->16686 16683 5b61a8 ?_Xlength_error@std@@YAXPBD 16682->16683 16684 5b61b3 16682->16684 16683->16684 16690 5b61eb 16684->16690 17008 5b47c0 16684->17008 16686->16682 16688 5b6175 16686->16688 16687 5b61c3 16689 5b61d7 memmove 16687->16689 16687->16690 16691 5b6220 16 API calls 16688->16691 16689->16690 16690->16544 16692 5b6190 16691->16692 16692->16544 16694 5b6240 16693->16694 16695 5b6235 ?_Xout_of_range@std@@YAXPBD 16693->16695 16696 5b6258 ?_Xlength_error@std@@YAXPBD 16694->16696 16697 5b6263 16694->16697 16695->16694 16696->16697 16698 5b47c0 13 API calls 16697->16698 16701 5b5d08 16697->16701 16699 5b6273 16698->16699 16700 5b628f memmove 16699->16700 16699->16701 16700->16701 16701->16548 17014 5b2320 16702->17014 16704 5b647a __stdio_common_vswprintf_s 16704->16553 16706 5b71ae 16705->16706 16707 5b71cd WideCharToMultiByte 16705->16707 16708 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16706->16708 17015 5b7730 16707->17015 16710 5b71c9 16708->16710 16710->16556 16712 5b3fb0 memmove 16713 5b723b 16712->16713 16714 5b724f 16713->16714 16715 5b4770 4 API calls 16713->16715 16716 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16714->16716 16715->16714 16717 5b725e 16716->16717 16717->16556 16719 5b5f29 16718->16719 16720 5b5f8c 16719->16720 17024 5b6a30 16719->17024 16722 5b5fbe 16720->16722 16724 5b4710 5 API calls 16720->16724 16725 5b5fed 16722->16725 16727 5b4710 5 API calls 16722->16727 16724->16722 16728 5b601c 16725->16728 16729 5b4710 5 API calls 16725->16729 16727->16725 16730 5b604b 16728->16730 16731 5b4710 5 API calls 16728->16731 16729->16728 16732 5b5eb4 16730->16732 16733 5b4710 5 API calls 16730->16733 16731->16730 16732->16535 16732->16568 16733->16732 16735 5b748a 16734->16735 16736 5b747f ?_Xlength_error@std@@YAXPBD 16734->16736 16737 5b749d 16735->16737 16738 5b7492 ?_Xlength_error@std@@YAXPBD 16735->16738 16736->16735 16740 5b72f5 MultiByteToWideChar 16737->16740 16745 5b4a80 16737->16745 16738->16737 16741 5b75c0 16740->16741 16742 5b75d0 16741->16742 16744 5b7338 16741->16744 16743 5b75d8 memmove 16742->16743 16742->16744 16743->16744 16744->16596 16744->16597 16746 5b4ac0 16745->16746 16747 5b4b0a 16746->16747 16748 5b4b04 ?_Xbad_alloc@std@ 16746->16748 16755 5b4af9 16746->16755 16749 5b4b13 16747->16749 16750 5b4b34 16747->16750 16748->16747 16752 5b4b1a ?_Xbad_alloc@std@ 16749->16752 16753 5b4b20 16749->16753 16754 5ce041 new 4 API calls 16750->16754 16751 5b4b8b 16756 5b4710 5 API calls 16751->16756 16759 5b4b9c 16751->16759 16752->16753 16757 5ce041 new 4 API calls 16753->16757 16754->16755 16755->16751 16758 5b4b7e memmove 16755->16758 16756->16759 16757->16755 16758->16751 16759->16740 16761 5bc55a ?_Init@locale@std@@CAPAV_Locimp@12@_N 16760->16761 16763 5bc59a 16761->16763 16889 5bc2a0 16763->16889 16765 5bc5d4 16900 5bc380 16765->16900 16768 5bc60a 16770 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16768->16770 16769 5b4710 5 API calls 16769->16768 16771 5bb9e9 16770->16771 16772 5bb640 16771->16772 16773 5baf70 46 API calls 16772->16773 16774 5bb654 16773->16774 16775 5bb66f 16774->16775 16776 5b4710 5 API calls 16774->16776 16775->16608 16777 5baf70 16775->16777 16776->16775 16778 5bafe3 16777->16778 16779 5bb119 16778->16779 16940 5bb7c0 16778->16940 16780 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16779->16780 16782 5bb132 16780->16782 16800 5badc0 ?_Init@locale@std@@CAPAV_Locimp@12@_N 16782->16800 16783 5bb018 16785 5bb044 16783->16785 16944 5bbd80 16783->16944 16957 5bbf10 16785->16957 16788 5b4810 18 API calls 16789 5bb079 16788->16789 16790 5bb09b 16789->16790 16791 5b4710 5 API calls 16789->16791 16980 5bb740 16790->16980 16791->16790 16793 5bb0f5 16796 5bb107 16793->16796 16797 5b4710 5 API calls 16793->16797 16794 5bc380 30 API calls 16795 5bb0c9 16794->16795 16795->16793 16795->16794 16798 5bbd80 46 API calls 16795->16798 16796->16779 16799 5b4710 5 API calls 16796->16799 16797->16796 16798->16795 16799->16779 16801 5bae35 16800->16801 16802 5bc2a0 29 API calls 16801->16802 16803 5bae6f 16802->16803 16804 5b75c0 memmove 16803->16804 16805 5baea6 16804->16805 16806 5baedb 16805->16806 16807 5b4710 5 API calls 16805->16807 16808 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16806->16808 16807->16806 16809 5baef4 16808->16809 16809->16619 16809->16624 16809->16629 16811 5bb140 46 API calls 16810->16811 16812 5bb694 16811->16812 16813 5bb6af 16812->16813 16814 5b4710 5 API calls 16812->16814 16813->16614 16815 5bb140 16813->16815 16814->16813 16816 5bb193 16815->16816 16817 5bb175 16815->16817 16818 5bb7c0 46 API calls 16816->16818 16819 5b75c0 memmove 16817->16819 16820 5bb19c 16818->16820 16821 5bb223 16819->16821 16823 5bbd80 46 API calls 16820->16823 16825 5bb1d0 16820->16825 16822 5bb240 16821->16822 16827 5b4710 5 API calls 16821->16827 16824 5bb26e 16822->16824 16828 5b4710 5 API calls 16822->16828 16823->16820 16826 5bb299 16824->16826 16831 5b4710 5 API calls 16824->16831 16829 5bbf10 46 API calls 16825->16829 16826->16621 16827->16822 16828->16824 16830 5bb1da 16829->16830 16832 5b4810 18 API calls 16830->16832 16831->16826 16832->16817 16834 5bb2b0 46 API calls 16833->16834 16835 5bb6d4 16834->16835 16836 5bb6ef 16835->16836 16837 5b4710 5 API calls 16835->16837 16836->16622 16838 5bb2b0 16836->16838 16837->16836 16839 5bb140 46 API calls 16838->16839 16840 5bb2ef 16839->16840 16841 5b4810 18 API calls 16840->16841 16843 5bb316 16841->16843 16842 5bb32c 16844 5bb430 46 API calls 16842->16844 16843->16842 16845 5b4710 5 API calls 16843->16845 16846 5bb34b 16844->16846 16845->16842 16847 5b4810 18 API calls 16846->16847 16848 5bb36f 16847->16848 16849 5bb385 16848->16849 16850 5b4710 5 API calls 16848->16850 16851 5bb3a5 16849->16851 16852 5b7550 14 API calls 16849->16852 16850->16849 16853 5bc500 45 API calls 16851->16853 16852->16851 16854 5bb3d3 16853->16854 16855 5bb3e5 16854->16855 16857 5b4710 5 API calls 16854->16857 16856 5bb40b 16855->16856 16858 5b4710 5 API calls 16855->16858 16859 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16856->16859 16857->16855 16858->16856 16860 5bb424 16859->16860 16860->16636 16862 5bb430 46 API calls 16861->16862 16864 5bb714 16862->16864 16863 5bb72f 16863->16637 16866 5bb430 16863->16866 16864->16863 16865 5b4710 5 API calls 16864->16865 16865->16863 16867 5bb140 46 API calls 16866->16867 16868 5bb471 16867->16868 16869 5b4810 18 API calls 16868->16869 16870 5bb498 16869->16870 16871 5b4710 5 API calls 16870->16871 16872 5bb4ae 16870->16872 16871->16872 16873 5bb537 16872->16873 16875 5bbed0 18 API calls 16872->16875 16874 5b75c0 memmove 16873->16874 16876 5bb575 16874->16876 16878 5bb523 16875->16878 16877 5bb592 16876->16877 16881 5b4710 5 API calls 16876->16881 16879 5bb5c0 16877->16879 16883 5b4710 5 API calls 16877->16883 16880 5bc500 45 API calls 16878->16880 16882 5bb5ee 16879->16882 16887 5b4710 5 API calls 16879->16887 16880->16873 16881->16877 16884 5bb61a 16882->16884 16885 5b4710 5 API calls 16882->16885 16883->16879 16886 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16884->16886 16885->16884 16888 5bb634 16886->16888 16887->16882 16888->16653 16890 5bc2bb 16889->16890 16891 5bc2ef 16889->16891 16892 5bc2d8 16890->16892 16893 5bc2c1 16890->16893 16917 5b78b0 16891->16917 16895 5b4c20 2 API calls 16892->16895 16912 5b4c20 16893->16912 16898 5bc2e7 16895->16898 16898->16765 16899 5bc30f 16899->16765 16901 5bc3bb 16900->16901 16902 5b40e0 20 API calls 16901->16902 16905 5bc3f3 16901->16905 16902->16905 16903 5bc4b3 16904 5b6220 16 API calls 16903->16904 16906 5bc4c2 16904->16906 16905->16903 16935 5b7550 16905->16935 16907 5bc4d4 16906->16907 16908 5b4710 5 API calls 16906->16908 16909 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16907->16909 16908->16907 16910 5bc4ee 16909->16910 16910->16768 16910->16769 16913 5b4c31 ?_Xout_of_range@std@@YAXPBD 16912->16913 16914 5b4c3c 16912->16914 16913->16914 16915 5b4c47 16914->16915 16916 5b4c8a memmove 16914->16916 16915->16765 16916->16915 16918 5b7911 16917->16918 16923 5b78c1 16917->16923 16919 5b791b ?_Xout_of_range@std@@YAXPBD 16918->16919 16920 5b7926 16918->16920 16919->16920 16921 5b7944 ?_Xlength_error@std@@YAXPBD 16920->16921 16925 5b794f 16920->16925 16921->16925 16922 5b79aa 16924 5b47c0 13 API calls 16922->16924 16933 5b7a4a 16922->16933 16923->16918 16926 5b78e8 16923->16926 16932 5b79c9 16924->16932 16925->16922 16927 5b7980 memmove 16925->16927 16929 5b7a80 22 API calls 16926->16929 16927->16922 16928 5b7a26 16931 5b7a36 memmove 16928->16931 16928->16933 16930 5b7909 16929->16930 16930->16899 16931->16933 16932->16928 16932->16933 16934 5b7a00 memmove 16932->16934 16933->16899 16934->16928 16936 5b7566 ?_Xlength_error@std@@YAXPBD 16935->16936 16937 5b7571 16935->16937 16936->16937 16938 5b47c0 13 API calls 16937->16938 16939 5b7581 16937->16939 16938->16939 16939->16903 16941 5bb80c 16940->16941 16942 5bbf10 46 API calls 16941->16942 16943 5bb820 16942->16943 16943->16783 16984 5bb840 16944->16984 16946 5bbd92 16947 5bbd9f 16946->16947 16953 5bbdb2 16946->16953 16948 5bbf10 46 API calls 16947->16948 16949 5bbda9 16948->16949 16949->16783 16950 5bbf10 46 API calls 16951 5bbeb8 16950->16951 16951->16783 16952 5bbe38 16952->16950 16953->16952 16954 5bbe28 16953->16954 16955 5bbf10 46 API calls 16954->16955 16956 5bbe2f 16955->16956 16956->16783 16958 5bb840 5 API calls 16957->16958 16959 5bbf60 16958->16959 16960 5bbfc0 16959->16960 16961 5bbf72 16959->16961 16968 5bbf87 16959->16968 16999 5bc7a0 16960->16999 16992 5bbed0 16961->16992 16965 5bc0f8 16967 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16965->16967 16966 5b4710 5 API calls 16966->16965 16970 5bb051 16967->16970 16973 5bbfb6 16968->16973 16978 5bbfc5 16968->16978 16969 5bc0aa 16969->16960 16976 5b4710 5 API calls 16969->16976 16970->16788 16971 5bc08d 16975 5b75c0 memmove 16971->16975 16972 5bbf80 16972->16969 16972->16971 16974 5b4710 5 API calls 16972->16974 16995 5bc320 16973->16995 16974->16971 16975->16969 16976->16960 16978->16960 16979 5bbed0 18 API calls 16978->16979 16979->16972 16981 5bb789 16980->16981 16982 5bbf10 46 API calls 16981->16982 16983 5bb79d 16982->16983 16983->16795 16985 5bb911 16984->16985 16988 5bb85d 16984->16988 16986 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16985->16986 16987 5bb93c 16986->16987 16987->16946 16988->16985 16989 5bb8d7 16988->16989 16990 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16989->16990 16991 5bb90d 16990->16991 16991->16946 16993 5b4810 18 API calls 16992->16993 16994 5bbf00 16993->16994 16994->16972 16996 5bc32c 16995->16996 16998 5bc336 16995->16998 16997 5b4a80 12 API calls 16996->16997 16997->16998 16998->16960 17000 5bc500 45 API calls 16999->17000 17004 5bc7d4 17000->17004 17001 5bc812 17002 5bc0e6 17001->17002 17006 5b4710 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 17001->17006 17002->16965 17002->16966 17003 5bc7eb 17007 5b75c0 memmove 17003->17007 17004->17001 17004->17003 17005 5b4710 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn 17004->17005 17005->17003 17006->17002 17007->17001 17009 5b47da 17008->17009 17010 5b47cf ?_Xlength_error@std@@YAXPBD 17008->17010 17011 5b47f2 17009->17011 17012 5b4a80 12 API calls 17009->17012 17010->17009 17011->16687 17013 5b47e8 17012->17013 17013->16687 17014->16704 17016 5b774a 17015->17016 17017 5b773f ?_Xlength_error@std@@YAXPBD 17015->17017 17018 5b775a 17016->17018 17019 5b774f ?_Xlength_error@std@@YAXPBD 17016->17019 17017->17016 17020 5b4cd0 10 API calls 17018->17020 17022 5b7768 17018->17022 17019->17018 17020->17022 17021 5b7207 WideCharToMultiByte 17021->16712 17022->17021 17023 5b77ba memset 17022->17023 17023->17021 17025 5b5f63 17024->17025 17027 5b6a37 17024->17027 17028 5b62e0 17025->17028 17026 5b4770 4 API calls 17026->17027 17027->17025 17027->17026 17029 5b62f0 _invalid_parameter_noinfo_noreturn 17028->17029 17030 5b62f6 17028->17030 17029->17030 17031 5b6333 17030->17031 17032 5b6308 _invalid_parameter_noinfo_noreturn 17030->17032 17033 5b630e 17030->17033 17031->16720 17032->17033 17034 5b631b 17033->17034 17035 5b6315 _invalid_parameter_noinfo_noreturn 17033->17035 17036 5b6328 17034->17036 17037 5b6322 _invalid_parameter_noinfo_noreturn 17034->17037 17035->17034 17036->17031 17038 5b632d _invalid_parameter_noinfo_noreturn 17036->17038 17037->17036 17038->17031 17040 5b494a 17039->17040 17041 5b493f ?_Xlength_error@std@@YAXPBD 17039->17041 17042 5b4951 17040->17042 17043 5b4965 17040->17043 17041->17040 17044 5b4cd0 10 API calls 17042->17044 17046 5b499f 17043->17046 17047 5b4992 17043->17047 17048 5b4987 memmove 17043->17048 17045 5b495a 17044->17045 17045->16570 17046->16570 17049 5b4770 4 API calls 17047->17049 17048->17047 17049->17046 17084 5b94f0 17050->17084 17054 5b8493 CoCreateInstance 17055 5b84bb 17054->17055 17080 5b86ae 17054->17080 17107 5b8100 17055->17107 17056 5b86ed 17059 5b4770 4 API calls 17056->17059 17060 5b8713 17056->17060 17058 5b4710 5 API calls 17058->17056 17059->17060 17061 5b8737 17060->17061 17062 5b4770 4 API calls 17060->17062 17063 5b875b 17061->17063 17064 5b4770 4 API calls 17061->17064 17062->17061 17065 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17063->17065 17064->17063 17066 5b83e8 17065->17066 17066->14428 17066->14429 17067 5b84c7 17070 5b8513 SysFreeString 17067->17070 17072 5b8520 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17067->17072 17068 5b854a CoSetProxyBlanket 17069 5b8569 17068->17069 17068->17080 17112 5b8060 17069->17112 17070->17072 17072->17068 17072->17080 17073 5b858b 17074 5b8060 17 API calls 17073->17074 17075 5b859e 17074->17075 17119 5b81b0 17075->17119 17077 5b85d7 17078 5b81b0 SysFreeString 17077->17078 17079 5b85e3 17078->17079 17079->17080 17081 5b8643 CoCreateInstance 17079->17081 17080->17056 17080->17058 17081->17080 17082 5b8666 17081->17082 17082->17080 17083 5b868c _wtoi64 SysFreeString 17082->17083 17083->17080 17085 5b9546 17084->17085 17086 5b957c 17085->17086 17089 5b4930 12 API calls 17085->17089 17087 5b4490 17 API calls 17086->17087 17088 5b95a1 17087->17088 17090 5b45b0 14 API calls 17088->17090 17089->17086 17091 5b8481 17090->17091 17092 5b7070 17091->17092 17093 5b709d 17092->17093 17095 5b70bf MultiByteToWideChar 17092->17095 17094 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17093->17094 17096 5b70bb 17094->17096 17098 5b7470 14 API calls 17095->17098 17096->17054 17099 5b7104 MultiByteToWideChar 17098->17099 17101 5b75c0 memmove 17099->17101 17102 5b7150 17101->17102 17103 5b7164 17102->17103 17104 5b4710 5 API calls 17102->17104 17105 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17103->17105 17104->17103 17106 5b7173 17105->17106 17106->17054 17108 5ce041 new 4 API calls 17107->17108 17109 5b812e 17108->17109 17110 5b8141 SysAllocString 17109->17110 17111 5b816e _com_issue_error 17109->17111 17110->17111 17111->17067 17113 5ce041 new 4 API calls 17112->17113 17114 5b808e 17113->17114 17115 5b80a1 17114->17115 17118 5b80c9 _com_issue_error 17114->17118 17123 5cdcc0 17115->17123 17118->17073 17120 5b81e0 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17119->17120 17121 5b81be 17119->17121 17120->17077 17121->17120 17122 5b81d3 SysFreeString 17121->17122 17122->17120 17126 5cdd04 _com_issue_error 17123->17126 17138 5cdcfd _com_issue_error 17123->17138 17124 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17125 5b80c5 17124->17125 17125->17118 17127 5cdd30 MultiByteToWideChar 17126->17127 17128 5cdd49 GetLastError 17127->17128 17129 5cdd53 _com_issue_error 17127->17129 17128->17129 17130 5cdd89 malloc 17129->17130 17131 5cdd73 _com_issue_error __alloca_probe_16 17129->17131 17130->17131 17132 5cddc9 MultiByteToWideChar 17131->17132 17133 5cdddd 17132->17133 17134 5cde06 SysAllocString 17132->17134 17135 5cddee GetLastError 17133->17135 17136 5cdde5 free 17133->17136 17137 5cde17 free 17134->17137 17134->17138 17139 5cddf8 _com_issue_error 17135->17139 17136->17135 17137->17138 17138->17124 17139->17134 17141 5ce041 new 4 API calls 17140->17141 17142 5b9447 GetCurrentProcess IsWow64Process 17141->17142 17142->14453 17144 5c74b4 17143->17144 17145 5b4810 18 API calls 17144->17145 17146 5c74cb 17145->17146 17147 5b4810 18 API calls 17146->17147 17148 5c74fd 17147->17148 17171 5c7bb0 17148->17171 17151 5c752d 17153 5bccf9 17151->17153 17154 5b4710 5 API calls 17151->17154 17152 5b4710 5 API calls 17152->17151 17155 5bd350 GetWindowsDirectoryA 17153->17155 17154->17153 17156 5bd3cd 17155->17156 17157 5b4270 18 API calls 17156->17157 17158 5bd408 17157->17158 17159 5b4490 17 API calls 17158->17159 17160 5bd436 17159->17160 17161 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17160->17161 17162 5bcd0c 17161->17162 17162->14472 17162->14474 17162->14477 17164 5bd2ca 17163->17164 17165 5b4270 18 API calls 17164->17165 17166 5bd308 17165->17166 17167 5b4490 17 API calls 17166->17167 17168 5bd327 17167->17168 17169 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17168->17169 17170 5bcd71 17169->17170 17170->14480 17170->14482 17170->14485 17172 5ce041 new 4 API calls 17171->17172 17173 5c7519 17172->17173 17173->17151 17173->17152 17175 5c62f7 17174->17175 17176 5c6320 17175->17176 17181 5c6370 17175->17181 17176->14526 17180 5c6350 17180->14526 17217 5c65c0 17181->17217 17184 5c63b0 17185 5c63ea 17184->17185 17186 5c6411 17184->17186 17220 5c6650 17185->17220 17188 5c641d 17186->17188 17189 5c6450 17186->17189 17191 5c6428 17188->17191 17192 5c6586 17188->17192 17193 5c6454 17189->17193 17201 5c648a 17189->17201 17194 5c6650 5 API calls 17191->17194 17226 5c6890 17192->17226 17193->17192 17196 5c6462 17193->17196 17197 5c643a 17194->17197 17199 5c6650 5 API calls 17196->17199 17197->17180 17198 5c659f 17198->17180 17200 5c6474 17199->17200 17200->17180 17202 5c64ff 17201->17202 17203 5c64ac 17201->17203 17202->17192 17204 5c6522 17202->17204 17205 5c64dd 17203->17205 17206 5c64bb 17203->17206 17207 5c6531 17204->17207 17208 5c6553 17204->17208 17210 5c6650 5 API calls 17205->17210 17209 5c6650 5 API calls 17206->17209 17211 5c6650 5 API calls 17207->17211 17212 5c6650 5 API calls 17208->17212 17213 5c64c7 17209->17213 17214 5c64e9 17210->17214 17215 5c653d 17211->17215 17216 5c655f 17212->17216 17213->17180 17214->17180 17215->17180 17216->17180 17218 5ce041 new 4 API calls 17217->17218 17219 5c633f 17218->17219 17219->17184 17221 5c6662 17220->17221 17225 5c63fb 17220->17225 17222 5c6679 17221->17222 17223 5b4770 4 API calls 17221->17223 17224 5c6698 ?_Xlength_error@std@@YAXPBD 17222->17224 17223->17222 17224->17225 17225->17180 17227 5c68d7 17226->17227 17228 5c696e 17227->17228 17229 5c690c 17227->17229 17234 5c6600 17228->17234 17232 5c6650 5 API calls 17229->17232 17231 5c6973 17231->17198 17233 5c691c 17232->17233 17233->17198 17235 5c661c 17234->17235 17236 5c6613 17234->17236 17235->17231 17237 5b4770 4 API calls 17236->17237 17237->17235 17239 5c77c8 RegOpenKeyExW 17238->17239 17240 5c77c6 17238->17240 17241 5c77ee GetLastError 17239->17241 17242 5c7875 RegQueryValueExW 17239->17242 17240->17239 17243 5b2590 117 API calls 17241->17243 17246 5c7a6e RegCloseKey 17242->17246 17250 5c78a9 17242->17250 17245 5c7806 GetLastError 17243->17245 17247 5b5120 __stdio_common_vsprintf_s 17245->17247 17248 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17246->17248 17254 5c781c 17247->17254 17249 5bec3c 17248->17249 17249->14714 17249->14718 17278 5b4030 17249->17278 17251 5c78c2 RegQueryValueExW 17250->17251 17252 5c78db GetLastError 17251->17252 17253 5c7935 17251->17253 17258 5b2590 117 API calls 17252->17258 17327 5c76c0 17253->17327 17255 5b4270 18 API calls 17254->17255 17256 5c7857 17255->17256 17259 5bc940 16 API calls 17256->17259 17261 5c78f3 GetLastError 17258->17261 17262 5c7864 _CxxThrowException 17259->17262 17260 5c794b 17263 5c76c0 131 API calls 17260->17263 17264 5b5120 __stdio_common_vsprintf_s 17261->17264 17262->17242 17277 5c7962 17263->17277 17265 5c7909 17264->17265 17266 5b4030 18 API calls 17265->17266 17267 5c7917 17266->17267 17268 5bc940 16 API calls 17267->17268 17271 5c7924 _CxxThrowException 17268->17271 17269 5c76c0 131 API calls 17269->17277 17270 5c7a65 17270->17246 17271->17253 17272 5c79ac memmove 17273 5ce041 new 4 API calls 17272->17273 17274 5c79c7 17273->17274 17275 5c79e2 memmove 17274->17275 17379 5c7be0 17275->17379 17277->17269 17277->17270 17277->17272 17279 5b404f 17278->17279 17282 5b4061 17278->17282 17280 5b4270 18 API calls 17279->17280 17281 5b405a 17280->17281 17281->14717 17283 5b4270 18 API calls 17282->17283 17284 5b407a 17283->17284 17284->14717 17286 5bc99a 17285->17286 17287 5b4370 16 API calls 17286->17287 17288 5bc9c0 17287->17288 17289 5bc9d2 _CxxThrowException 17288->17289 17290 5b4770 4 API calls 17288->17290 17289->14714 17290->17289 17292 5c7328 17291->17292 17293 5b4270 18 API calls 17292->17293 17294 5c7352 17293->17294 17295 5b4490 17 API calls 17294->17295 17296 5becdf 17295->17296 17297 5c6240 17296->17297 17434 5c5bc0 17297->17434 17300 5b3fb0 memmove 17301 5becf2 17300->17301 17301->14753 17303 5c62b6 17302->17303 17304 5c6291 17302->17304 17305 5b45b0 14 API calls 17303->17305 17304->17303 17306 5c629c 17304->17306 17307 5c62c2 17305->17307 17308 5c5bc0 16 API calls 17306->17308 17309 5b3fb0 memmove 17307->17309 17310 5c62a7 17308->17310 17311 5c62ca 17309->17311 17312 5b3fb0 memmove 17310->17312 17311->14781 17313 5c62af 17312->17313 17313->14781 17315 5bfd5c 17314->17315 17316 5bfd75 17314->17316 17317 5ba430 2 API calls 17315->17317 17318 5b2620 117 API calls 17316->17318 17319 5bfd6c 17317->17319 17320 5bfd9e 17318->17320 17319->17316 17321 5bfd85 17319->17321 17323 5bfdd3 17320->17323 17324 5b4770 4 API calls 17320->17324 17322 5b2620 117 API calls 17321->17322 17322->17320 17325 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17323->17325 17324->17323 17326 5bfde8 17325->17326 17326->14726 17328 5c772d 17327->17328 17329 5c76e1 17327->17329 17331 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17328->17331 17330 5b2590 117 API calls 17329->17330 17332 5c76f0 17330->17332 17333 5c7738 17331->17333 17334 5b5120 __stdio_common_vsprintf_s 17332->17334 17333->17260 17335 5c7700 17334->17335 17336 5b4270 18 API calls 17335->17336 17337 5c774c 17336->17337 17338 5bc940 16 API calls 17337->17338 17339 5c7759 _CxxThrowException 17338->17339 17340 5c7770 RegOpenKeyExW 17339->17340 17342 5c77ee GetLastError 17340->17342 17343 5c7875 RegQueryValueExW 17340->17343 17344 5b2590 117 API calls 17342->17344 17347 5c7a6e RegCloseKey 17343->17347 17351 5c78a9 17343->17351 17346 5c7806 GetLastError 17344->17346 17348 5b5120 __stdio_common_vsprintf_s 17346->17348 17349 5ce02b __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17347->17349 17355 5c781c 17348->17355 17350 5c7a92 17349->17350 17350->17260 17352 5c78c2 RegQueryValueExW 17351->17352 17353 5c78db GetLastError 17352->17353 17354 5c7935 17352->17354 17359 5b2590 117 API calls 17353->17359 17358 5c76c0 118 API calls 17354->17358 17356 5b4270 18 API calls 17355->17356 17357 5c7857 17356->17357 17360 5bc940 16 API calls 17357->17360 17361 5c794b 17358->17361 17362 5c78f3 GetLastError 17359->17362 17363 5c7864 _CxxThrowException 17360->17363 17364 5c76c0 118 API calls 17361->17364 17365 5b5120 __stdio_common_vsprintf_s 17362->17365 17363->17343 17373 5c7962 17364->17373 17366 5c7909 17365->17366 17367 5b4030 18 API calls 17366->17367 17368 5c7917 17367->17368 17370 5bc940 16 API calls 17368->17370 17369 5c7a65 17369->17347 17372 5c7924 _CxxThrowException 17370->17372 17371 5c76c0 118 API calls 17371->17373 17372->17354 17373->17369 17373->17371 17374 5c79ac memmove 17373->17374 17375 5ce041 new 4 API calls 17374->17375 17376 5c79c7 17375->17376 17377 5c79e2 memmove 17376->17377 17378 5c7be0 5 API calls 17377->17378 17378->17373 17380 5c7bf7 17379->17380 17381 5c7c20 17380->17381 17386 5c7c70 17380->17386 17381->17277 17385 5c7c50 17385->17277 17422 5c7ec0 17386->17422 17389 5c7ca0 17390 5c7cda 17389->17390 17391 5c7d01 17389->17391 17425 5c7f00 17390->17425 17393 5c7d0d 17391->17393 17394 5c7d40 17391->17394 17396 5c7e7d 17393->17396 17397 5c7d18 17393->17397 17398 5c7d44 17394->17398 17406 5c7d7a 17394->17406 17429 5c8110 17396->17429 17400 5c7f00 ?_Xlength_error@std@@YAXPBD 17397->17400 17398->17396 17401 5c7d52 17398->17401 17404 5c7d2a 17400->17404 17402 5c7f00 ?_Xlength_error@std@@YAXPBD 17401->17402 17405 5c7d64 17402->17405 17403 5c7e96 17403->17385 17404->17385 17405->17385 17407 5c7d9c 17406->17407 17408 5c7def 17406->17408 17410 5c7dcd 17407->17410 17411 5c7dab 17407->17411 17408->17396 17409 5c7e16 17408->17409 17412 5c7e25 17409->17412 17413 5c7e47 17409->17413 17415 5c7f00 ?_Xlength_error@std@@YAXPBD 17410->17415 17414 5c7f00 ?_Xlength_error@std@@YAXPBD 17411->17414 17416 5c7f00 ?_Xlength_error@std@@YAXPBD 17412->17416 17417 5c7f00 ?_Xlength_error@std@@YAXPBD 17413->17417 17418 5c7db7 17414->17418 17419 5c7dd9 17415->17419 17420 5c7e31 17416->17420 17421 5c7e53 17417->17421 17418->17385 17419->17385 17420->17385 17421->17385 17423 5ce041 new 4 API calls 17422->17423 17424 5c7c3f 17423->17424 17424->17389 17426 5c7f11 17425->17426 17428 5c7ceb 17425->17428 17427 5c7f19 ?_Xlength_error@std@@YAXPBD 17426->17427 17427->17428 17428->17385 17430 5c8157 17429->17430 17431 5c81f1 17430->17431 17432 5c7f00 ?_Xlength_error@std@@YAXPBD 17430->17432 17431->17403 17433 5c819c 17432->17433 17433->17403 17435 5c5bd5 ?_Xout_of_range@std@@YAXPBD 17434->17435 17436 5c5be0 17434->17436 17435->17436 17437 5c5bf5 ?_Xlength_error@std@@YAXPBD 17436->17437 17438 5c5c00 17436->17438 17437->17438 17439 5c5c1b 17438->17439 17440 5c5c10 ?_Xlength_error@std@@YAXPBD 17438->17440 17448 5c5c41 17438->17448 17441 5b4cd0 10 API calls 17439->17441 17442 5c5c29 17439->17442 17440->17439 17441->17442 17443 5c5c85 17442->17443 17444 5c5c77 memmove 17442->17444 17442->17448 17445 5c5cc8 17443->17445 17446 5c5c8c 17443->17446 17444->17443 17447 5c5ce0 memmove 17445->17447 17445->17448 17446->17448 17449 5c5cb8 memmove 17446->17449 17447->17448 17448->17300 17449->17448 17451 5ba3ee MoveFileExA 17450->17451 17452 5ba403 17450->17452 17451->17452 17453 5ba3fc GetLastError 17451->17453 17452->14969 17453->17452 17455 5ba80c 17454->17455 17455->17455 17456 5b4270 18 API calls 17455->17456 17457 5ba828 17456->17457 17458 5b4370 16 API calls 17457->17458 17459 5ba83c 17458->17459 17460 5b4490 17 API calls 17459->17460 17461 5ba84b FindFirstFileA 17460->17461 17462 5ba9b5 17461->17462 17477 5ba86f 17461->17477 17477->17462

                                                                            Executed Functions

                                                                            Function 005B26B0 Relevance: 135.9, APIs: 48, Strings: 29, Instructions: 1130sleepstringcomCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005B270C
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                              • Part of subcall function 005B52A0: GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,postinstall,0000000B,7'[,?,3A04C82C,?,?), ref: 005B53BA
                                                                              • Part of subcall function 005B52A0: _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C,?,?), ref: 005B53D2
                                                                              • Part of subcall function 005B52A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B53DF
                                                                            • new.LIBCMT ref: 005B2748
                                                                              • Part of subcall function 005CE041: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE049
                                                                              • Part of subcall function 005B6A80: new.LIBCMT ref: 005B6ADD
                                                                              • Part of subcall function 005B6A80: InitializeCriticalSection.KERNEL32(00000004), ref: 005B6AF4
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 005B27C2
                                                                            • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000000,00000000,?,?), ref: 005B27D5
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,005D350C,005D34F6,00000000,005D34F6,00000000,005D34F6,00000000), ref: 005B286C
                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,exe=,00000004,post_install,%d) token %s,00000000,00000000), ref: 005B28A0
                                                                            • Sleep.KERNELBASE(000007D0), ref: 005B28AE
                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,inst=,00000005), ref: 005B28E4
                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,005D3540,00000002), ref: 005B2930
                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000002), ref: 005B293D
                                                                            • strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,005D350C), ref: 005B2A3D
                                                                            • OleInitialize.OLE32(00000000), ref: 005B2A67
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(shutdown.dat,?,post_install,Ole init result: %d,00000000), ref: 005B2A8F
                                                                            • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(shutdown.dat), ref: 005B2A9D
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,inst.dat,00000008), ref: 005B2B14
                                                                            • OleUninitialize.OLE32(00000000,00000011), ref: 005B2B65
                                                                            • new.LIBCMT ref: 005B2BA8
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000088), ref: 005B2BC1
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a), ref: 005B2C3D
                                                                            • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000088), ref: 005B2C54
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000088), ref: 005B2C5C
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000088), ref: 005B2C64
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a), ref: 005B2CBC
                                                                            • GetLastError.KERNEL32 ref: 005B2CCC
                                                                            • SetEvent.KERNEL32(00000000), ref: 005B2CE8
                                                                            • Sleep.KERNELBASE(000001F4), ref: 005B2CEF
                                                                            • CloseHandle.KERNEL32(?), ref: 005B2CFB
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\KNIT_NFS_EXIT_CD1DF70D-8191-4840-B884-76C2620B8ED3), ref: 005B2D11
                                                                            • GetLastError.KERNEL32 ref: 005B2D21
                                                                            • SetEvent.KERNEL32(00000000), ref: 005B2D43
                                                                            • Sleep.KERNELBASE(000001F4), ref: 005B2D50
                                                                            • CloseHandle.KERNEL32(?), ref: 005B2D58
                                                                            • Sleep.KERNELBASE(000003E8), ref: 005B2D63
                                                                            • Sleep.KERNELBASE(000001F4), ref: 005B2D9F
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005B2DD0
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 005B2DF7
                                                                            • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 005B2ECC
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list<T> too long,00000000,?,?,?,?), ref: 005B30D4
                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 005B3114
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 005B3128
                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 005B31B6
                                                                            • Sleep.KERNEL32(000003E8), ref: 005B3249
                                                                            • Sleep.KERNEL32(000003E8), ref: 005B3266
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep$Event$CloseCreate_invalid_parameter_noinfo_noreturn$ErrorHandleLaststrncmp$InitializeProcess32_stat64i32memsetstrtok$AttributesChangeCriticalExecFileFindFirstNextNotificationSectionSnapshotToolhelp32UninitializeXlength_error@std@@_callnewh_errno_mkdiratoimallocremovetolowerwcstombs
                                                                            • String ID: #$%d) token %s$Failed to launch Update Service$Failed to launch process monitor$Failed to launch startup service$Failed to launch system service$Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4a$Global\KNIT_NFS_EXIT_CD1DF70D-8191-4840-B884-76C2620B8ED3$Install path: %s$Ole init result: %d$Reinstall : %d$STARTUP GU TYPE : %d$STARTUP SET GU TYPE : %d$Show dialog: %d$cannot initialize network exit event (%d)$cannot initialized app exit event (%d)$delete 'shutdown.dat': %d$exe=$inst.dat$inst=$lic.dat$list<T> too long$post_install$retry cp dll$shutdown.dat$stealth_manager$taskkill /F /PID $uninstall_util$w
                                                                            • API String ID: 1867157247-3166035333
                                                                            • Opcode ID: 1fdc082be18e6eb29192be33e4e116f15534e24b5a183baffd4f6c0b298dea34
                                                                            • Instruction ID: e628d30d082a724082685c8a406e3606dc095f3675b94c74ee0e7ed3cb760b4d
                                                                            • Opcode Fuzzy Hash: 1fdc082be18e6eb29192be33e4e116f15534e24b5a183baffd4f6c0b298dea34
                                                                            • Instruction Fuzzy Hash: 4592B370E002559FDB25AF68DC0ABEDBFB4BF55300F14419AE405AB282DB716B45CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C2100 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 140serviceCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,75920F00,00000000,?,?,?,?,?,?,00000000,005D0A48,000000FF,?,005B2D79), ref: 005C2152
                                                                            • OpenServiceA.ADVAPI32(00000000,?,00010002), ref: 005C217D
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000), ref: 005C21C0
                                                                            • DeleteService.ADVAPI32(00000000), ref: 005C21C7
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C21D6
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C21FB
                                                                            • GetLastError.KERNEL32 ref: 005C2202
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C221C
                                                                            • GetLastError.KERNEL32 ref: 005C222B
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C224C
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,005D0A48,000000FF,?,005B2D79), ref: 005C2269
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,005D0A48,000000FF,?,005B2D79), ref: 005C226D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$Open$ChangeConfig2DeleteManager
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::deleteService$Can't delete the service %d$Can't find service$Error can't open service %s for deleting: %d$OpenSCManager failed (%d)$Successfully delete (or pending delete) Service %s$stealth_manager$y-[
                                                                            • API String ID: 219838797-1123794500
                                                                            • Opcode ID: 9d108cd8b2427bc40793c7329d861f3c0008f6fd97e38f2765c973f758a9f380
                                                                            • Instruction ID: b990a164dbdf2e2284858a46f026c3d24ba7eb72c7bf54a1e08230dcc71bda04
                                                                            • Opcode Fuzzy Hash: 9d108cd8b2427bc40793c7329d861f3c0008f6fd97e38f2765c973f758a9f380
                                                                            • Instruction Fuzzy Hash: 16416475D45209AFCB209F99DC4AEAEBFB8FF58700F004457F905A7251E770AA048FA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C6A90 Relevance: 35.4, APIs: 11, Strings: 9, Instructions: 419fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2262 5c6a90-5c6b29 call 5b40e0 call 5cc150 2267 5c6b2f-5c6b3f WTSQueryUserToken 2262->2267 2268 5c6c20-5c6c27 2262->2268 2269 5c6c0b-5c6c18 GetLastError call 5b2590 2267->2269 2270 5c6b45-5c6b60 SHGetFolderPathW 2267->2270 2271 5c6c29-5c6c44 SHGetSpecialFolderPathW 2268->2271 2272 5c6c75-5c6cae call 5b40e0 2268->2272 2284 5c6c1d 2269->2284 2275 5c6ba2-5c6ba9 2270->2275 2276 5c6b62-5c6b6a 2270->2276 2273 5c6c4a-5c6c50 2271->2273 2274 5c6c46-5c6c48 2271->2274 2293 5c6dfe-5c6e3c call 5b7e40 2272->2293 2294 5c6cb4-5c6d12 call 5b40e0 call 5bc1c0 2272->2294 2280 5c6c53-5c6c5c 2273->2280 2279 5c6c62-5c6c70 call 5b40e0 2274->2279 2285 5c6bab-5c6bb3 2275->2285 2286 5c6bb7 2275->2286 2281 5c6b6c-5c6b6e 2276->2281 2282 5c6b70-5c6b79 2276->2282 2279->2272 2280->2280 2290 5c6c5e-5c6c60 2280->2290 2292 5c6b8f-5c6b9d call 5b40e0 2281->2292 2295 5c6b80-5c6b89 2282->2295 2284->2268 2287 5c6bfd-5c6c09 CloseHandle 2285->2287 2288 5c6bb5 2285->2288 2289 5c6bbd-5c6bcb call 5c69f0 2286->2289 2287->2268 2288->2289 2289->2287 2304 5c6bcd-5c6bd7 2289->2304 2290->2279 2292->2275 2305 5c70b4-5c70bd 2293->2305 2306 5c6e42-5c6e94 call 5c6a40 call 5c6990 FindFirstFileW 2293->2306 2318 5c6d98-5c6def call 5b4810 call 5b6140 * 2 2294->2318 2319 5c6d18-5c6d39 call 5bbed0 2294->2319 2295->2295 2299 5c6b8b-5c6b8d 2295->2299 2299->2292 2304->2287 2310 5c6bd9-5c6bf8 call 5b2590 call 5b40e0 2304->2310 2308 5c70cc-5c70f2 2305->2308 2309 5c70bf-5c70c7 call 5b4710 2305->2309 2333 5c709f-5c70b1 GetLastError call 5b2590 2306->2333 2334 5c6e9a-5c6ebe call 5b3ed0 * 2 2306->2334 2314 5c70f4-5c70fc call 5b4710 2308->2314 2315 5c7101-5c711e call 5ce02b 2308->2315 2309->2308 2310->2287 2314->2315 2318->2293 2350 5c6df1-5c6df9 call 5b4710 2318->2350 2331 5c6d7c-5c6d89 2319->2331 2332 5c6d3b-5c6d44 2319->2332 2331->2318 2338 5c6d8b-5c6d93 call 5b4710 2331->2338 2336 5c6d46-5c6d4e call 5b4710 2332->2336 2337 5c6d53-5c6d77 call 5b75c0 2332->2337 2333->2305 2353 5c6ec2-5c6ec9 2334->2353 2336->2337 2337->2331 2338->2318 2350->2293 2354 5c6ecf-5c6ee7 2353->2354 2355 5c7015-5c7025 FindNextFileW 2353->2355 2356 5c6eed-5c6eef 2354->2356 2357 5c6ee9-5c6eeb 2354->2357 2355->2353 2358 5c702b-5c7034 GetLastError 2355->2358 2360 5c6ef2-5c6efb 2356->2360 2359 5c6f07-5c6f34 call 5b40e0 2357->2359 2361 5c7049-5c7059 FindClose 2358->2361 2362 5c7036-5c7046 call 5b2590 2358->2362 2372 5c6f48-5c6f50 2359->2372 2373 5c6f36-5c6f43 call 5b6140 2359->2373 2360->2360 2363 5c6efd-5c6f05 2360->2363 2366 5c7068-5c708e 2361->2366 2367 5c705b-5c7063 call 5b4710 2361->2367 2362->2361 2363->2359 2366->2305 2371 5c7090-5c709d call 5b4710 2366->2371 2367->2366 2371->2305 2376 5c6f56-5c6f5f 2372->2376 2377 5c6f52-5c6f54 2372->2377 2373->2372 2380 5c6f60-5c6f69 2376->2380 2379 5c6f6f-5c6fd1 call 5b6140 call 5b4810 call 5b6140 * 2 call 5b6f70 2377->2379 2392 5c6fd5-5c6ff4 _stat64i32 2379->2392 2393 5c6fd3 2379->2393 2380->2380 2382 5c6f6b-5c6f6d 2380->2382 2382->2379 2394 5c6ff6-5c6ffe call 5b4770 2392->2394 2395 5c7003-5c7005 2392->2395 2393->2392 2394->2395 2395->2355 2397 5c7007-5c7010 call 5bace0 2395->2397 2397->2355
                                                                            APIs
                                                                              • Part of subcall function 005CC150: WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 005CC172
                                                                              • Part of subcall function 005CC150: WTSFreeMemory.WTSAPI32(?), ref: 005CC199
                                                                            • WTSQueryUserToken.WTSAPI32(00000000,00000000,005D39AC,00000000,3A04C82C,00000000), ref: 005C6B37
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005C6B58
                                                                            • CloseHandle.KERNEL32(00000000,?), ref: 005C6C03
                                                                            • GetLastError.KERNEL32 ref: 005C6C0B
                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,005D39AC,00000000,3A04C82C,00000000), ref: 005C6C36
                                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?), ref: 005C6E83
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,extensions.json,0000000F,005D3808,00000001,?,00000000,000000FF,00000000,-00000002,?,?,005D39AC,005D39AC), ref: 005C6FDD
                                                                            • FindNextFileW.KERNELBASE(00000000,00000010,005D39AC,005D39AC,?,?,?), ref: 005C701D
                                                                            • GetLastError.KERNEL32(?,?,?), ref: 005C702B
                                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 005C704A
                                                                            • GetLastError.KERNEL32(?,?,?), ref: 005C709F
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFindLast$CloseFileFolderPath$EnumerateFirstFreeHandleMemoryNextQuerySessionsSpecialTokenUser_stat64i32
                                                                            • String ID: Directory path is too long.$Error in FindFirstFile : %d$Error in FindNextFile : %d$Mozilla\Firefox\Profiles\$Query user token error = %d$Roaming\$\AppData\$extensions.json$stealth_manager
                                                                            • API String ID: 420821120-1158375998
                                                                            • Opcode ID: 45646c55b844c023e5f8a085c552a0bcd461fb86c807e2f2d28653a2c8454f1c
                                                                            • Instruction ID: 358e8fd83557ed66838cae961f60afd58dcb32543ce05909f01daf664d6e72ef
                                                                            • Opcode Fuzzy Hash: 45646c55b844c023e5f8a085c552a0bcd461fb86c807e2f2d28653a2c8454f1c
                                                                            • Instruction Fuzzy Hash: 540269709042299EDB24DB64CC9DBEEBBB8FF54304F1001DAE40AA6191EB756F85CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1160 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 194serviceCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,3A04C82C,00000000,00000000), ref: 005C11AF
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,00000011,Error on service control manager), ref: 005C1208
                                                                            • GetLastError.KERNEL32 ref: 005C11BB
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005C12D4
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000005,?,00000004,?,00000003), ref: 005C12E0
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?,00000004,?,00000003), ref: 005C12E9
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000,00000002,00000004,?,?,?,?,?,?,?,00000005,?), ref: 005C1384
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?), ref: 005C1391
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?), ref: 005C1394
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$_invalid_parameter_noinfo_noreturn$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupStartUpService$Error Creating services$Error Creating services %d$Error on service control manager$Error on service control manager: %d$Service Display name: %s$Service name: %s$ServiceExe path: %s$stealth_manager
                                                                            • API String ID: 1505281203-3321287816
                                                                            • Opcode ID: 71183ec9ede4dfc5e56008f9eb1cecb66b56fbb94dca1772c8e4876267837717
                                                                            • Instruction ID: b9301befffa4c85cf60a9ab25178552fdc744000060138f5eccff1a36730a694
                                                                            • Opcode Fuzzy Hash: 71183ec9ede4dfc5e56008f9eb1cecb66b56fbb94dca1772c8e4876267837717
                                                                            • Instruction Fuzzy Hash: 91715070A40248EEEB20EBA8CC4AFDE7FB5FB45704F50005BE505A72C2D7B569458F66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C0B50 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 194serviceCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,3A04C82C,00000000,00000000), ref: 005C0B9F
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,00000011,Error on service control manager), ref: 005C0BF8
                                                                            • GetLastError.KERNEL32 ref: 005C0BAB
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005C0CC1
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000012,?,00000011,?,00000010), ref: 005C0CCD
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000012,?,00000011,?,00000010), ref: 005C0CD6
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000,00000002,00000011,?,?,?,?,?,?,?,00000012,?), ref: 005C0D71
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000012,?), ref: 005C0D7E
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000012,?), ref: 005C0D81
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$_invalid_parameter_noinfo_noreturn$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupNetworkFilterService$Error Creating services$Error Creating services %d$Error on service control manager$Error on service control manager: %d$Service Display name: %s$Service name: %s$ServiceExe path: %s$stealth_manager
                                                                            • API String ID: 1505281203-1686654831
                                                                            • Opcode ID: 7ef3a44d3391b716f12dd154ed5fead23ba4a8f303ba14e936fde78c31663667
                                                                            • Instruction ID: 265e73f9b30bd0c52d06f242415cd2d6bec205ab2c7cd7f4ec534ce9231c3a15
                                                                            • Opcode Fuzzy Hash: 7ef3a44d3391b716f12dd154ed5fead23ba4a8f303ba14e936fde78c31663667
                                                                            • Instruction Fuzzy Hash: F7715E70A44209EEEB20EB98CC4AFEEBFB5FB48704F50005BE505A72C2D7B569458F61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1820 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 212serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,3A04C82C,00000000,00000000), ref: 005C186F
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005C1946
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0000000B,?,0000000A,?,00000009), ref: 005C1956
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?,0000000A,?,00000009), ref: 005C195F
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,?,00000000,?,?,?,?,?,?,?,?,?,?,0000000B,?), ref: 005C1999
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000,00000002,0000000A,?,?,?,?,?,?,?,0000000B,?), ref: 005C1A78
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?), ref: 005C1A85
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?), ref: 005C1A88
                                                                            • GetLastError.KERNEL32 ref: 005C1B07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupProcessMonitorService$Error Creating services %d$Error on service control manager: %d$Service display name: %s$Service name: %s$Service path: %s$stealth_manager
                                                                            • API String ID: 2238952430-1689939351
                                                                            • Opcode ID: 51707b9357dfbf966e744fac1b3e5990d8b769712b1500145359a8229f9162ab
                                                                            • Instruction ID: 186a3ce80e9248e10f0c7667e1a314465a4d10ee1b5bdb6a751873de83b89499
                                                                            • Opcode Fuzzy Hash: 51707b9357dfbf966e744fac1b3e5990d8b769712b1500145359a8229f9162ab
                                                                            • Instruction Fuzzy Hash: A0812B70940219EEEB20DB98CC4AFEEBFB9FB09700F50405AE415B7282D7B56945CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1E20 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 201serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,000F003F,3A04C82C,750292F0,00000000), ref: 005C1E6F
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0000000F,?), ref: 005C1EF2
                                                                            • GetLastError.KERNEL32 ref: 005C1F02
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,00000011,Error Creating services), ref: 005C1F51
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1F0B
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • ChangeServiceConfig2W.ADVAPI32 ref: 005C2030
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C203D
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C2040
                                                                            • GetLastError.KERNEL32 ref: 005C20BF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupUpdateService$Error Creating services$Error Creating services %d$Error on service control manager$Error on service control manager: %d$stealth_manager
                                                                            • API String ID: 2238952430-3493398701
                                                                            • Opcode ID: 390a95121a52eb91a50e9255026248ef2208a74f440a4703bfda6834c159959e
                                                                            • Instruction ID: e9a3cfd416d26ba0b13a281cd65fccf9dc49caeb0a3e441959726578eb557690
                                                                            • Opcode Fuzzy Hash: 390a95121a52eb91a50e9255026248ef2208a74f440a4703bfda6834c159959e
                                                                            • Instruction Fuzzy Hash: 18716F70900209AFEB20EBA8CC4ABEEBFB5FB45700F50005AE515BB2D2D7B56945CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1B20 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 122serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F0001,00000000,00000000), ref: 005C1B8E
                                                                            • OpenServiceA.ADVAPI32(00000000,?,A0000012), ref: 005C1BB0
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000), ref: 005C1C13
                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 005C1C1E
                                                                            • GetLastError.KERNEL32 ref: 005C1C2A
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1C44
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1C51
                                                                            • GetLastError.KERNEL32 ref: 005C1C59
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1C75
                                                                            • GetLastError.KERNEL32 ref: 005C1C7D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseErrorHandleLast$Open$ChangeConfig2ManagerStart
                                                                            • String ID: Cannot open OpenSCManager error code %d$Cannot open service, error code: %d$Failed to start the service, error code: %d$Launching process monitor service: %s$stealth_manager
                                                                            • API String ID: 845704753-3905018406
                                                                            • Opcode ID: c2f6a58910efbf22787aa60db7e2ee1e5e4ed69ff5c00ae6ea016a7debef8055
                                                                            • Instruction ID: 25788b66679380bb482e8294f9c2c42ef9787492e951e9edc6c965b007213bbf
                                                                            • Opcode Fuzzy Hash: c2f6a58910efbf22787aa60db7e2ee1e5e4ed69ff5c00ae6ea016a7debef8055
                                                                            • Instruction Fuzzy Hash: A6416E71941209EFDB209FD4DC4EBEEBBB8FB59704F10001BF501A6281E7B55A08CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CADA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000020,3A04C82C,?,?,005CAD27,00000000,?,005CA9A5,005C862E,00000009), ref: 005CADC1
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,005CAD27,00000000,?,005CA9A5,005C862E,00000009), ref: 005CADC8
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 005CAE07
                                                                            • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000,?,?,?,SeDebugPrivilege,?), ref: 005CAE42
                                                                            • CloseHandle.KERNEL32(?,?,?,?,SeDebugPrivilege,?), ref: 005CAE4B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 3038321057-2896544425
                                                                            • Opcode ID: 4c5dca51d5d4ecf5796287406efa943db3caee81104373efdb028f64183956d2
                                                                            • Instruction ID: dd7e4e65de98ab9a6f52f74e90bebd67a2834145ecea534626a479499b67fe60
                                                                            • Opcode Fuzzy Hash: 4c5dca51d5d4ecf5796287406efa943db3caee81104373efdb028f64183956d2
                                                                            • Instruction Fuzzy Hash: 3F112871509301AFE320DFA0D84AB1BBBE8FB98704F004A1EF59496290D7B5E648DB93
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA980 Relevance: 3.1, APIs: 2, Instructions: 60nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000030,005C862E,00000009), ref: 005CA9B2
                                                                            • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,?,?,005C862E,00000009), ref: 005CA9DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: InformationProcess64QueryWow64memset
                                                                            • String ID:
                                                                            • API String ID: 2094615266-0
                                                                            • Opcode ID: d66d6f013f7d27627efda06f44133b1097979aecb005ec38dd079f757229f2b1
                                                                            • Instruction ID: a98ca0e82321ed938b5557f05da38204c34b6c045642f82554fd07f8add8aa17
                                                                            • Opcode Fuzzy Hash: d66d6f013f7d27627efda06f44133b1097979aecb005ec38dd079f757229f2b1
                                                                            • Instruction Fuzzy Hash: A111A0316143065BD314EF64DC92B6BB7E8AFC5310F00061EB94687280EBB0A804C6A3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CBC70 Relevance: 3.0, APIs: 2, Instructions: 47nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,000000C0,?,?,005C862E,?,?,?,?,?,?,005C862E,00000009,00000000), ref: 005CBC9D
                                                                            • NtWow64ReadVirtualMemory64.NTDLL(?,?,005C862E,?,000000C8,00000000,?,?,?,005C862E,?,?,?), ref: 005CBCDD
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Memory64ReadVirtualWow64memset
                                                                            • String ID:
                                                                            • API String ID: 1380373875-0
                                                                            • Opcode ID: 6767dc732231929b6ab2684e555c533e1cf28ab061db0c7b738e39f9a75a23d7
                                                                            • Instruction ID: 3742f9978b46b1d4696300e3dbc2f2c34c662713a1959fd010c1c55533e93dc8
                                                                            • Opcode Fuzzy Hash: 6767dc732231929b6ab2684e555c533e1cf28ab061db0c7b738e39f9a75a23d7
                                                                            • Instruction Fuzzy Hash: 6501A272601306ABE7209F55DC42F96BBA8FF86715F00422DF918A76C0E771A914C796
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CAA20 Relevance: 3.0, APIs: 2, Instructions: 46nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(0000000A,00000000,000003B7,00000000,3F800000,005C862E,005C862E,00000009,00000000), ref: 005CAA43
                                                                            • NtWow64ReadVirtualMemory64.NTDLL(?,005C862E,005C862E,00000009,000003B8,00000000,?,00000000,3F800000,005C862E,005C862E,00000009,00000000), ref: 005CAA83
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Memory64ReadVirtualWow64memset
                                                                            • String ID:
                                                                            • API String ID: 1380373875-0
                                                                            • Opcode ID: 388e583dbb92507e85687b7984d6907a559d287b51236e33666b878a41317b21
                                                                            • Instruction ID: ea688a6573ce8bf163181888f0e9eedb7ec471d8a1e0c8a976ea95bb3d729fb2
                                                                            • Opcode Fuzzy Hash: 388e583dbb92507e85687b7984d6907a559d287b51236e33666b878a41317b21
                                                                            • Instruction Fuzzy Hash: 0F01D632704305ABD7219F55DC42F97BFA9FF86714F04022DF954AB280E771EA14C692
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CBBF0 Relevance: 3.0, APIs: 2, Instructions: 46nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(00000009,00000000,00000044,?,00000000,005C862E,?,?,?,005C862E,00000009,00000000), ref: 005CBC13
                                                                            • NtWow64ReadVirtualMemory64.NTDLL(?,?,005C862E,?,00000048,00000000,?,?,00000000,005C862E,?,?,?,005C862E,00000009,00000000), ref: 005CBC50
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Memory64ReadVirtualWow64memset
                                                                            • String ID:
                                                                            • API String ID: 1380373875-0
                                                                            • Opcode ID: 0f9b1c5d014d21dcac4424441e6e4045057cc533a05022515a09efa951c1516d
                                                                            • Instruction ID: 3043963733ae7e0aa23f9d2139b9b1c134d0243c45d0316eb9781a651ef74cbb
                                                                            • Opcode Fuzzy Hash: 0f9b1c5d014d21dcac4424441e6e4045057cc533a05022515a09efa951c1516d
                                                                            • Instruction Fuzzy Hash: 9401D6727003066BD7109F55DC46F9BBBA8FF85714F00422DFA18A72C0E770AA18C696
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CAAA0 Relevance: 1.6, APIs: 1, Instructions: 86nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,005D1728,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005CAB4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Memory64ReadVirtualWow64
                                                                            • String ID:
                                                                            • API String ID: 3357887247-0
                                                                            • Opcode ID: e15879e9e10abbb6a02116d9f2f1abd3435a20a2c441bba6f7b27aac4595470f
                                                                            • Instruction ID: 60355c007942ea922bfed63b1fa6eb5f11496d3c1055723eb31e789f132aa780
                                                                            • Opcode Fuzzy Hash: e15879e9e10abbb6a02116d9f2f1abd3435a20a2c441bba6f7b27aac4595470f
                                                                            • Instruction Fuzzy Hash: 05216D72A006099FDB11CF99D845BAEBBF8FF49714F10461EE814A7640DB75A9048BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C49A0 Relevance: 93.8, APIs: 19, Strings: 34, Instructions: 1095fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,3A04C82C,00000000,00000000), ref: 005C4A98
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C4BC8
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,3A04C82C,00000000,00000000), ref: 005C4CCB
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C4D8C
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,?,?,?,?,3A04C82C,00000000,00000000), ref: 005C4B01
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$File$Copy_stat64i32$Attributes
                                                                            • String ID: %s enter {$%s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoCrypto.dll$PocoFoundation.dll$PocoJSON.dll$PocoNet.dll$PocoNetSSL.dll$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update libssl dll$Update poco crypto dll$Update poco foundation dll$Update poco json dll$Update poco net dll$Update poco netssl dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoCrypto.dll$\PocoFoundation.dll$\PocoJSON.dll$\PocoNet.dll$\PocoNetSSL.dll$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libs\$libssl.dll$stealth_manager
                                                                            • API String ID: 3217670562-2732279055
                                                                            • Opcode ID: b9ce5914f25a73dd296144c4407cade073c31ed6ae32cf402bc3bf648d23ccb1
                                                                            • Instruction ID: 681fdf5f87af6cc91e111584f27e929486cbb39f30c451557d13510cdc9743cc
                                                                            • Opcode Fuzzy Hash: b9ce5914f25a73dd296144c4407cade073c31ed6ae32cf402bc3bf648d23ccb1
                                                                            • Instruction Fuzzy Hash: 7FA28470D04248DEEF14DFA8D849BEE7FB4BB05304F60449DD451AB282D7B5AA45CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C22D0 Relevance: 79.0, APIs: 30, Strings: 15, Instructions: 266servicesleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 703 5c22d0-5c232f call 5b2620 OpenSCManagerW 706 5c261a-5c2630 GetLastError call 5b2590 703->706 707 5c2335-5c2339 703->707 719 5c2633-5c2650 call 5b2620 706->719 708 5c25fd-5c2618 call 5b2590 CloseServiceHandle 707->708 709 5c233f-5c2358 OpenServiceA 707->709 708->719 712 5c25cd-5c25ea GetLastError call 5b2590 709->712 713 5c235e-5c23d7 ChangeServiceConfig2W GetTickCount QueryServiceStatusEx 709->713 721 5c25ef-5c25fb CloseServiceHandle 712->721 717 5c23dd-5c23e3 713->717 718 5c25a6-5c25cb GetLastError call 5b2590 CloseServiceHandle * 2 713->718 722 5c23e9-5c23ee 717->722 723 5c252a-5c2536 CloseServiceHandle * 2 717->723 718->719 729 5c265c-5c2677 call 5ce02b 719->729 730 5c2652-5c2657 call 5b4770 719->730 721->719 726 5c23f4-5c23f9 722->726 727 5c2482-5c2491 ControlService 722->727 723->719 733 5c2400-5c2411 726->733 731 5c2595-5c25a1 GetLastError 727->731 732 5c2497-5c249b 727->732 730->729 735 5c251a-5c2524 call 5b2590 731->735 737 5c2527 732->737 738 5c24a1 732->738 739 5c241a-5c2420 733->739 740 5c2413-5c2418 733->740 735->737 737->723 744 5c24a7-5c24c1 Sleep QueryServiceStatusEx 738->744 741 5c2423-5c243f Sleep QueryServiceStatusEx 739->741 740->741 745 5c250e-5c2515 GetLastError 741->745 746 5c2445-5c2449 741->746 748 5c2587-5c2593 GetLastError 744->748 749 5c24c7-5c24cb 744->749 745->735 750 5c245f-5c2469 GetTickCount 746->750 751 5c244b-5c245d call 5b2620 746->751 748->735 752 5c2561-5c2582 call 5b2620 CloseServiceHandle * 2 749->752 753 5c24d1-5c24db GetTickCount 749->753 755 5c246f-5c2478 750->755 756 5c24f7-5c2509 call 5b2590 750->756 751->750 752->719 758 5c24dd-5c24e1 753->758 759 5c253b-5c255c call 5b2590 CloseServiceHandle * 2 753->759 755->733 762 5c247a-5c247c 755->762 756->727 758->744 765 5c24e3-5c24f2 CloseServiceHandle * 2 758->765 759->719 762->727 762->737 765->719
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,750292F0,00000000), ref: 005C2322
                                                                            • OpenServiceA.ADVAPI32(00000000,?,00000026), ref: 005C234E
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000), ref: 005C23B1
                                                                            • GetTickCount.KERNEL32 ref: 005C23BD
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 005C23CF
                                                                            • Sleep.KERNEL32(?,?), ref: 005C2424
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?), ref: 005C2437
                                                                            • GetTickCount.KERNEL32 ref: 005C245F
                                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 005C2489
                                                                            • Sleep.KERNEL32(?), ref: 005C24AA
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 005C24B9
                                                                            • GetTickCount.KERNEL32 ref: 005C24D1
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C24ED
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 005C24F0
                                                                            • GetLastError.KERNEL32(?,?), ref: 005C250E
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C2531
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C2534
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C2557
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 005C255A
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C257D
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 005C2580
                                                                            • GetLastError.KERNEL32 ref: 005C25A6
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C25C6
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C25C9
                                                                            • GetLastError.KERNEL32 ref: 005C25D8
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C25F9
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C2616
                                                                            • GetLastError.KERNEL32 ref: 005C261A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$CountQueryStatusTick$OpenSleep$ChangeConfig2ControlManager
                                                                            • String ID: %s enter {$%s exit }$/,[$CStealthManager::stopService$Can't find service$ControlService failed (%d)$OpenSCManager failed (%d)$OpenService [%s] failed (%d)$QueryServiceStatusEx 1 failed (%d)$QueryServiceStatusEx 2 failed (%d)$QueryServiceStatusEx 3 failed (%d)$Service stop timed out.$Service stopped successfully.$Wait timed out$stealth_manager
                                                                            • API String ID: 656698291-3649251010
                                                                            • Opcode ID: 9cbb77da90088b4ef825f1d3026012949de504c9cf4cb9fe3390eedbe2b75d9d
                                                                            • Instruction ID: e32986275f6c999e0dad5e23bb1611baae33c437b5c19e406f91f9b23c8a1849
                                                                            • Opcode Fuzzy Hash: 9cbb77da90088b4ef825f1d3026012949de504c9cf4cb9fe3390eedbe2b75d9d
                                                                            • Instruction Fuzzy Hash: CC914071A45219AFDB209BD4DC4AFAE7F78FF18700F104417E505AB291E7745A44CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4C66 Relevance: 77.8, APIs: 16, Strings: 28, Instructions: 833fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,3A04C82C,00000000,00000000), ref: 005C4CCB
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C4D8C
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,3A04C82C), ref: 005C4E89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoFoundation.dll$PocoJSON.dll$PocoNet.dll$PocoNetSSL.dll$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update poco foundation dll$Update poco json dll$Update poco net dll$Update poco netssl dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoFoundation.dll$\PocoJSON.dll$\PocoNet.dll$\PocoNetSSL.dll$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-755406834
                                                                            • Opcode ID: d6a4be9c9bf3ef4db91ea005b64541d697ffd51a2e97b7672f97ecda5f37d757
                                                                            • Instruction ID: 36365920433c03602684e04ffa4b6a3a292b4e6eb555d65284cad9914876d9cc
                                                                            • Opcode Fuzzy Hash: d6a4be9c9bf3ef4db91ea005b64541d697ffd51a2e97b7672f97ecda5f37d757
                                                                            • Instruction Fuzzy Hash: 51729E70D04248DEEF14DFE8D849BEE7FB4BB05304F604499E4516B282E775AA49CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4E24 Relevance: 69.0, APIs: 14, Strings: 25, Instructions: 734fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1034 5c4e24-5c4e90 call 5b4f90 * 2 _stat64i32 1040 5c4e96-5c4eb5 1034->1040 1041 5c4f30-5c4f56 CopyFileA 1034->1041 1042 5c4ebb 1040->1042 1043 5c4eb7-5c4eb9 1040->1043 1044 5c4f5f-5c4f65 1041->1044 1045 5c4ebd-5c4ef6 call 5b4370 1042->1045 1043->1045 1046 5c4f67-5c4f6c call 5b4770 1044->1046 1047 5c4f71-5c4f89 1044->1047 1055 5c4efc 1045->1055 1056 5c4ef8-5c4efa 1045->1056 1046->1047 1048 5c4f8b-5c4f90 call 5b4770 1047->1048 1049 5c4f95-5c504e call 5b4f90 * 2 _stat64i32 1047->1049 1048->1049 1065 5c50ee-5c5114 CopyFileA 1049->1065 1066 5c5054-5c5073 1049->1066 1058 5c4efe-5c4f1c call 5b4370 call 5c4010 1055->1058 1056->1058 1071 5c4f1e-5c4f2d call 5b2620 1058->1071 1072 5c4f58 1058->1072 1068 5c511d-5c5123 1065->1068 1069 5c5079 1066->1069 1070 5c5075-5c5077 1066->1070 1074 5c512f-5c5147 1068->1074 1075 5c5125-5c512a call 5b4770 1068->1075 1073 5c507b-5c50b4 call 5b4370 1069->1073 1070->1073 1071->1041 1072->1044 1086 5c50ba 1073->1086 1087 5c50b6-5c50b8 1073->1087 1079 5c5149-5c514e call 5b4770 1074->1079 1080 5c5153-5c520c call 5b4f90 * 2 _stat64i32 1074->1080 1075->1074 1079->1080 1095 5c52ac-5c52d2 CopyFileA 1080->1095 1096 5c5212-5c5231 1080->1096 1088 5c50bc-5c50da call 5b4370 call 5c4010 1086->1088 1087->1088 1101 5c50dc-5c50eb call 5b2620 1088->1101 1102 5c5116 1088->1102 1098 5c52db-5c52e1 1095->1098 1099 5c5237 1096->1099 1100 5c5233-5c5235 1096->1100 1104 5c52ed-5c5305 1098->1104 1105 5c52e3-5c52e8 call 5b4770 1098->1105 1103 5c5239-5c5272 call 5b4370 1099->1103 1100->1103 1101->1065 1102->1068 1116 5c5278 1103->1116 1117 5c5274-5c5276 1103->1117 1109 5c5307-5c530c call 5b4770 1104->1109 1110 5c5311-5c53ca call 5b4f90 * 2 _stat64i32 1104->1110 1105->1104 1109->1110 1125 5c546a-5c5490 CopyFileA 1110->1125 1126 5c53d0-5c53ef 1110->1126 1119 5c527a-5c5298 call 5b4370 call 5c4010 1116->1119 1117->1119 1131 5c529a-5c52a9 call 5b2620 1119->1131 1132 5c52d4 1119->1132 1128 5c5499-5c549f 1125->1128 1129 5c53f5 1126->1129 1130 5c53f1-5c53f3 1126->1130 1134 5c54ab-5c54c3 1128->1134 1135 5c54a1-5c54a6 call 5b4770 1128->1135 1133 5c53f7-5c5430 call 5b4370 1129->1133 1130->1133 1131->1095 1132->1098 1145 5c5436 1133->1145 1146 5c5432-5c5434 1133->1146 1139 5c54cf-5c5588 call 5b4f90 * 2 _stat64i32 1134->1139 1140 5c54c5-5c54ca call 5b4770 1134->1140 1135->1134 1154 5c558e-5c55ad 1139->1154 1155 5c5628-5c564e CopyFileA 1139->1155 1140->1139 1148 5c5438-5c5456 call 5b4370 call 5c4010 1145->1148 1146->1148 1161 5c5458-5c5467 call 5b2620 1148->1161 1162 5c5492 1148->1162 1158 5c55af-5c55b1 1154->1158 1159 5c55b3 1154->1159 1160 5c5657-5c565d 1155->1160 1163 5c55b5-5c55ee call 5b4370 1158->1163 1159->1163 1164 5c565f-5c5664 call 5b4770 1160->1164 1165 5c5669-5c5681 1160->1165 1161->1125 1162->1128 1175 5c55f4 1163->1175 1176 5c55f0-5c55f2 1163->1176 1164->1165 1169 5c568d-5c5746 call 5b4f90 * 2 _stat64i32 1165->1169 1170 5c5683-5c5688 call 5b4770 1165->1170 1184 5c574c-5c576b 1169->1184 1185 5c57e6-5c580c CopyFileA 1169->1185 1170->1169 1178 5c55f6-5c5614 call 5b4370 call 5c4010 1175->1178 1176->1178 1194 5c5616-5c5625 call 5b2620 1178->1194 1195 5c5650 1178->1195 1187 5c576d-5c576f 1184->1187 1188 5c5771 1184->1188 1189 5c5815-5c581b 1185->1189 1191 5c5773-5c57ac call 5b4370 1187->1191 1188->1191 1192 5c581d-5c5822 call 5b4770 1189->1192 1193 5c5827-5c583f 1189->1193 1206 5c57ae-5c57b0 1191->1206 1207 5c57b2 1191->1207 1192->1193 1199 5c584b-5c5904 call 5b4f90 * 2 _stat64i32 1193->1199 1200 5c5841-5c5846 call 5b4770 1193->1200 1194->1155 1195->1160 1214 5c592d-5c5958 1199->1214 1215 5c5906-5c5928 CopyFileA 1199->1215 1200->1199 1209 5c57b4-5c57d2 call 5b4370 call 5c4010 1206->1209 1207->1209 1224 5c580e 1209->1224 1225 5c57d4-5c57e3 call 5b2620 1209->1225 1217 5c595e 1214->1217 1218 5c595a-5c595c 1214->1218 1219 5c59da-5c59e6 1215->1219 1221 5c5960-5c5999 call 5b4370 1217->1221 1218->1221 1222 5c59e8-5c59ed call 5b4770 1219->1222 1223 5c59f2-5c5a0a 1219->1223 1236 5c599f 1221->1236 1237 5c599b-5c599d 1221->1237 1222->1223 1228 5c5a0c-5c5a16 call 5b4770 1223->1228 1229 5c5a68-5c5adf call 5b2620 * 2 1223->1229 1224->1189 1225->1185 1228->1229 1243 5c5b28 1229->1243 1244 5c5ae1-5c5ae8 1229->1244 1240 5c59a1-5c59bf call 5b4370 call 5c4010 1236->1240 1237->1240 1256 5c59d8 1240->1256 1257 5c59c1-5c59d3 call 5b2620 1240->1257 1246 5c5b2a-5c5b30 1243->1246 1244->1243 1247 5c5aea-5c5af1 1244->1247 1251 5c5b3c-5c5b54 1246->1251 1252 5c5b32-5c5b37 call 5b4770 1246->1252 1247->1243 1249 5c5af3-5c5afa 1247->1249 1249->1243 1255 5c5afc-5c5b03 1249->1255 1253 5c5b56-5c5b5b call 5b4770 1251->1253 1254 5c5b60-5c5bb7 call 5ce02b 1251->1254 1252->1251 1253->1254 1255->1243 1261 5c5b05-5c5b0c 1255->1261 1256->1219 1257->1215 1261->1243 1264 5c5b0e-5c5b15 1261->1264 1264->1243 1267 5c5b17-5c5b19 1264->1267 1267->1243 1268 5c5b1b-5c5b22 1267->1268 1268->1243 1269 5c5b24-5c5b26 1268->1269 1269->1246
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,3A04C82C), ref: 005C4E89
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C4F4A
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5047
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoJSON.dll$PocoNet.dll$PocoNetSSL.dll$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update poco json dll$Update poco net dll$Update poco netssl dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoJSON.dll$\PocoNet.dll$\PocoNetSSL.dll$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-1151765924
                                                                            • Opcode ID: 96bf4321ad0d6165b97833dcac369b23e38b84f73cd24822abb9d125c4bd11a3
                                                                            • Instruction ID: 597dfc72cddc24d4c92668a7a4e4bd40a96d82ee3543897af0fd0ffc3b29357a
                                                                            • Opcode Fuzzy Hash: 96bf4321ad0d6165b97833dcac369b23e38b84f73cd24822abb9d125c4bd11a3
                                                                            • Instruction Fuzzy Hash: 81629070D04248DEEF14DFE8D849BEE7FB4BB05304F604499E4516B282E775AA49CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C8220 Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 187registrywindowsleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306,00000000,?,?,?,?,005B2D06), ref: 005C823C
                                                                            • GetLastError.KERNEL32(?,?,?,?,005B2D06), ref: 005C8248
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • SetEvent.KERNEL32(00000000,?,?,?,?,005B2D06), ref: 005C8271
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,005B2D06), ref: 005C8278
                                                                            • RegisterWindowMessageW.USER32(UWM_END_WINDOW_MSG_86A92825_6B57_423E_AAB1_13C85778886F,?,?,?,?,005B2D06), ref: 005C8283
                                                                            • FindWindowW.USER32(W64StubClss_27b3f5cc,00000000), ref: 005C8292
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005C82A5
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,APP_5491c4d3-0a5f-4898-bec4-cd906998e306,75923080,?,?,?,?,?,?,005B2D06), ref: 005C82CC
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,005B2D06), ref: 005C82F1
                                                                            • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,005B2D06), ref: 005C82F8
                                                                            • RegGetValueW.KERNELBASE(80000002,SOFTWARE\Classes\CLSID\{d07606c8-6532-4d75-a46d-f5f5ac6ef74a}\MiscStatus\1,PID,00000010,00000000,FFFFFFFF,?), ref: 005C8354
                                                                            • OpenProcess.KERNEL32(00000001,00000000,FFFFFFFF), ref: 005C8381
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 005C8390
                                                                            • GetLastError.KERNEL32 ref: 005C8398
                                                                            • CloseHandle.KERNEL32(?), ref: 005C83B5
                                                                            • GetWindowThreadProcessId.USER32(?,FFFFFFFF), ref: 005C83E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcessWindow$ErrorEventLastMessageOpen$CreateFindMutexPostRegisterSleepTerminateThreadValue
                                                                            • String ID: APP_5491c4d3-0a5f-4898-bec4-cd906998e306$Cannot create mutex. The process might have been dead, Error %d. break$Get reg value: %d, pid: %d$Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306$Open process error: %d$PID$SOFTWARE\Classes\CLSID\{d07606c8-6532-4d75-a46d-f5f5ac6ef74a}\MiscStatus\1$The process is still running, continue waiting$UWM_END_WINDOW_MSG_86A92825_6B57_423E_AAB1_13C85778886F$W64StubClss_27b3f5cc$Waiting for process to die$cannot initialized app exit event (%d)$terminate 2 result: %d, err: %d$terminate 2, err: %d$terminate result: %d, err: %d$uninstall_util
                                                                            • API String ID: 736561401-2473979389
                                                                            • Opcode ID: 65d24f2b17959cc070d64432e5003e7fb3264cb2bd37771c87439d929d21ea72
                                                                            • Instruction ID: 93e2f8c8452273d2e613d26ccc230df41e828c839664a6a1fff9bfa4ca2cd022
                                                                            • Opcode Fuzzy Hash: 65d24f2b17959cc070d64432e5003e7fb3264cb2bd37771c87439d929d21ea72
                                                                            • Instruction Fuzzy Hash: 91517675A41206BBD7307BE59C0EFBF7F69FB64B11F004057F915A62C1DEB099048AA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4FE2 Relevance: 60.1, APIs: 12, Strings: 22, Instructions: 635fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1317 5c4fe2-5c504e call 5b4f90 * 2 _stat64i32 1323 5c50ee-5c5114 CopyFileA 1317->1323 1324 5c5054-5c5073 1317->1324 1325 5c511d-5c5123 1323->1325 1326 5c5079 1324->1326 1327 5c5075-5c5077 1324->1327 1329 5c512f-5c5147 1325->1329 1330 5c5125-5c512a call 5b4770 1325->1330 1328 5c507b-5c50b4 call 5b4370 1326->1328 1327->1328 1339 5c50ba 1328->1339 1340 5c50b6-5c50b8 1328->1340 1333 5c5149-5c514e call 5b4770 1329->1333 1334 5c5153-5c520c call 5b4f90 * 2 _stat64i32 1329->1334 1330->1329 1333->1334 1348 5c52ac-5c52d2 CopyFileA 1334->1348 1349 5c5212-5c5231 1334->1349 1341 5c50bc-5c50da call 5b4370 call 5c4010 1339->1341 1340->1341 1354 5c50dc-5c50eb call 5b2620 1341->1354 1355 5c5116 1341->1355 1351 5c52db-5c52e1 1348->1351 1352 5c5237 1349->1352 1353 5c5233-5c5235 1349->1353 1357 5c52ed-5c5305 1351->1357 1358 5c52e3-5c52e8 call 5b4770 1351->1358 1356 5c5239-5c5272 call 5b4370 1352->1356 1353->1356 1354->1323 1355->1325 1369 5c5278 1356->1369 1370 5c5274-5c5276 1356->1370 1362 5c5307-5c530c call 5b4770 1357->1362 1363 5c5311-5c53ca call 5b4f90 * 2 _stat64i32 1357->1363 1358->1357 1362->1363 1378 5c546a-5c5490 CopyFileA 1363->1378 1379 5c53d0-5c53ef 1363->1379 1372 5c527a-5c5298 call 5b4370 call 5c4010 1369->1372 1370->1372 1384 5c529a-5c52a9 call 5b2620 1372->1384 1385 5c52d4 1372->1385 1381 5c5499-5c549f 1378->1381 1382 5c53f5 1379->1382 1383 5c53f1-5c53f3 1379->1383 1387 5c54ab-5c54c3 1381->1387 1388 5c54a1-5c54a6 call 5b4770 1381->1388 1386 5c53f7-5c5430 call 5b4370 1382->1386 1383->1386 1384->1348 1385->1351 1398 5c5436 1386->1398 1399 5c5432-5c5434 1386->1399 1392 5c54cf-5c5588 call 5b4f90 * 2 _stat64i32 1387->1392 1393 5c54c5-5c54ca call 5b4770 1387->1393 1388->1387 1407 5c558e-5c55ad 1392->1407 1408 5c5628-5c564e CopyFileA 1392->1408 1393->1392 1401 5c5438-5c5456 call 5b4370 call 5c4010 1398->1401 1399->1401 1414 5c5458-5c5467 call 5b2620 1401->1414 1415 5c5492 1401->1415 1411 5c55af-5c55b1 1407->1411 1412 5c55b3 1407->1412 1413 5c5657-5c565d 1408->1413 1416 5c55b5-5c55ee call 5b4370 1411->1416 1412->1416 1417 5c565f-5c5664 call 5b4770 1413->1417 1418 5c5669-5c5681 1413->1418 1414->1378 1415->1381 1428 5c55f4 1416->1428 1429 5c55f0-5c55f2 1416->1429 1417->1418 1422 5c568d-5c5746 call 5b4f90 * 2 _stat64i32 1418->1422 1423 5c5683-5c5688 call 5b4770 1418->1423 1437 5c574c-5c576b 1422->1437 1438 5c57e6-5c580c CopyFileA 1422->1438 1423->1422 1431 5c55f6-5c5614 call 5b4370 call 5c4010 1428->1431 1429->1431 1447 5c5616-5c5625 call 5b2620 1431->1447 1448 5c5650 1431->1448 1440 5c576d-5c576f 1437->1440 1441 5c5771 1437->1441 1442 5c5815-5c581b 1438->1442 1444 5c5773-5c57ac call 5b4370 1440->1444 1441->1444 1445 5c581d-5c5822 call 5b4770 1442->1445 1446 5c5827-5c583f 1442->1446 1459 5c57ae-5c57b0 1444->1459 1460 5c57b2 1444->1460 1445->1446 1452 5c584b-5c5904 call 5b4f90 * 2 _stat64i32 1446->1452 1453 5c5841-5c5846 call 5b4770 1446->1453 1447->1408 1448->1413 1467 5c592d-5c5958 1452->1467 1468 5c5906-5c5928 CopyFileA 1452->1468 1453->1452 1462 5c57b4-5c57d2 call 5b4370 call 5c4010 1459->1462 1460->1462 1477 5c580e 1462->1477 1478 5c57d4-5c57e3 call 5b2620 1462->1478 1470 5c595e 1467->1470 1471 5c595a-5c595c 1467->1471 1472 5c59da-5c59e6 1468->1472 1474 5c5960-5c5999 call 5b4370 1470->1474 1471->1474 1475 5c59e8-5c59ed call 5b4770 1472->1475 1476 5c59f2-5c5a0a 1472->1476 1489 5c599f 1474->1489 1490 5c599b-5c599d 1474->1490 1475->1476 1481 5c5a0c-5c5a16 call 5b4770 1476->1481 1482 5c5a68-5c5adf call 5b2620 * 2 1476->1482 1477->1442 1478->1438 1481->1482 1496 5c5b28 1482->1496 1497 5c5ae1-5c5ae8 1482->1497 1493 5c59a1-5c59bf call 5b4370 call 5c4010 1489->1493 1490->1493 1509 5c59d8 1493->1509 1510 5c59c1-5c59d3 call 5b2620 1493->1510 1499 5c5b2a-5c5b30 1496->1499 1497->1496 1500 5c5aea-5c5af1 1497->1500 1504 5c5b3c-5c5b54 1499->1504 1505 5c5b32-5c5b37 call 5b4770 1499->1505 1500->1496 1502 5c5af3-5c5afa 1500->1502 1502->1496 1508 5c5afc-5c5b03 1502->1508 1506 5c5b56-5c5b5b call 5b4770 1504->1506 1507 5c5b60-5c5bb7 call 5ce02b 1504->1507 1505->1504 1506->1507 1508->1496 1514 5c5b05-5c5b0c 1508->1514 1509->1472 1510->1468 1514->1496 1517 5c5b0e-5c5b15 1514->1517 1517->1496 1520 5c5b17-5c5b19 1517->1520 1520->1496 1521 5c5b1b-5c5b22 1520->1521 1521->1496 1522 5c5b24-5c5b26 1521->1522 1522->1499
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5047
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5108
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5205
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoNet.dll$PocoNetSSL.dll$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update poco net dll$Update poco netssl dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoNet.dll$\PocoNetSSL.dll$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-160391532
                                                                            • Opcode ID: 47bb444cc39cf94c5b8207916d0323b83a3c2abb60ea0bac2e3da490ecc9cd36
                                                                            • Instruction ID: c1a53361f283f632361179fff6784bcdb2ea561ce8a889a559f8ad7278b27447
                                                                            • Opcode Fuzzy Hash: 47bb444cc39cf94c5b8207916d0323b83a3c2abb60ea0bac2e3da490ecc9cd36
                                                                            • Instruction Fuzzy Hash: 3342A070D04248DEEF14DFE8D849BEE7FB4BB05304F604499E4516B282E775AA85CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C51A0 Relevance: 51.3, APIs: 10, Strings: 19, Instructions: 536fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1523 5c51a0-5c520c call 5b4f90 * 2 _stat64i32 1529 5c52ac-5c52d2 CopyFileA 1523->1529 1530 5c5212-5c5231 1523->1530 1531 5c52db-5c52e1 1529->1531 1532 5c5237 1530->1532 1533 5c5233-5c5235 1530->1533 1535 5c52ed-5c5305 1531->1535 1536 5c52e3-5c52e8 call 5b4770 1531->1536 1534 5c5239-5c5272 call 5b4370 1532->1534 1533->1534 1545 5c5278 1534->1545 1546 5c5274-5c5276 1534->1546 1539 5c5307-5c530c call 5b4770 1535->1539 1540 5c5311-5c53ca call 5b4f90 * 2 _stat64i32 1535->1540 1536->1535 1539->1540 1554 5c546a-5c5490 CopyFileA 1540->1554 1555 5c53d0-5c53ef 1540->1555 1548 5c527a-5c5298 call 5b4370 call 5c4010 1545->1548 1546->1548 1560 5c529a-5c52a9 call 5b2620 1548->1560 1561 5c52d4 1548->1561 1557 5c5499-5c549f 1554->1557 1558 5c53f5 1555->1558 1559 5c53f1-5c53f3 1555->1559 1563 5c54ab-5c54c3 1557->1563 1564 5c54a1-5c54a6 call 5b4770 1557->1564 1562 5c53f7-5c5430 call 5b4370 1558->1562 1559->1562 1560->1529 1561->1531 1574 5c5436 1562->1574 1575 5c5432-5c5434 1562->1575 1568 5c54cf-5c5588 call 5b4f90 * 2 _stat64i32 1563->1568 1569 5c54c5-5c54ca call 5b4770 1563->1569 1564->1563 1583 5c558e-5c55ad 1568->1583 1584 5c5628-5c564e CopyFileA 1568->1584 1569->1568 1577 5c5438-5c5456 call 5b4370 call 5c4010 1574->1577 1575->1577 1590 5c5458-5c5467 call 5b2620 1577->1590 1591 5c5492 1577->1591 1587 5c55af-5c55b1 1583->1587 1588 5c55b3 1583->1588 1589 5c5657-5c565d 1584->1589 1592 5c55b5-5c55ee call 5b4370 1587->1592 1588->1592 1593 5c565f-5c5664 call 5b4770 1589->1593 1594 5c5669-5c5681 1589->1594 1590->1554 1591->1557 1604 5c55f4 1592->1604 1605 5c55f0-5c55f2 1592->1605 1593->1594 1598 5c568d-5c5746 call 5b4f90 * 2 _stat64i32 1594->1598 1599 5c5683-5c5688 call 5b4770 1594->1599 1613 5c574c-5c576b 1598->1613 1614 5c57e6-5c580c CopyFileA 1598->1614 1599->1598 1607 5c55f6-5c5614 call 5b4370 call 5c4010 1604->1607 1605->1607 1623 5c5616-5c5625 call 5b2620 1607->1623 1624 5c5650 1607->1624 1616 5c576d-5c576f 1613->1616 1617 5c5771 1613->1617 1618 5c5815-5c581b 1614->1618 1620 5c5773-5c57ac call 5b4370 1616->1620 1617->1620 1621 5c581d-5c5822 call 5b4770 1618->1621 1622 5c5827-5c583f 1618->1622 1635 5c57ae-5c57b0 1620->1635 1636 5c57b2 1620->1636 1621->1622 1628 5c584b-5c5904 call 5b4f90 * 2 _stat64i32 1622->1628 1629 5c5841-5c5846 call 5b4770 1622->1629 1623->1584 1624->1589 1643 5c592d-5c5958 1628->1643 1644 5c5906-5c5928 CopyFileA 1628->1644 1629->1628 1638 5c57b4-5c57d2 call 5b4370 call 5c4010 1635->1638 1636->1638 1653 5c580e 1638->1653 1654 5c57d4-5c57e3 call 5b2620 1638->1654 1646 5c595e 1643->1646 1647 5c595a-5c595c 1643->1647 1648 5c59da-5c59e6 1644->1648 1650 5c5960-5c5999 call 5b4370 1646->1650 1647->1650 1651 5c59e8-5c59ed call 5b4770 1648->1651 1652 5c59f2-5c5a0a 1648->1652 1665 5c599f 1650->1665 1666 5c599b-5c599d 1650->1666 1651->1652 1657 5c5a0c-5c5a16 call 5b4770 1652->1657 1658 5c5a68-5c5adf call 5b2620 * 2 1652->1658 1653->1618 1654->1614 1657->1658 1672 5c5b28 1658->1672 1673 5c5ae1-5c5ae8 1658->1673 1669 5c59a1-5c59bf call 5b4370 call 5c4010 1665->1669 1666->1669 1685 5c59d8 1669->1685 1686 5c59c1-5c59d3 call 5b2620 1669->1686 1675 5c5b2a-5c5b30 1672->1675 1673->1672 1676 5c5aea-5c5af1 1673->1676 1680 5c5b3c-5c5b54 1675->1680 1681 5c5b32-5c5b37 call 5b4770 1675->1681 1676->1672 1678 5c5af3-5c5afa 1676->1678 1678->1672 1684 5c5afc-5c5b03 1678->1684 1682 5c5b56-5c5b5b call 5b4770 1680->1682 1683 5c5b60-5c5bb7 call 5ce02b 1680->1683 1681->1680 1682->1683 1684->1672 1690 5c5b05-5c5b0c 1684->1690 1685->1648 1686->1644 1690->1672 1693 5c5b0e-5c5b15 1690->1693 1693->1672 1696 5c5b17-5c5b19 1693->1696 1696->1672 1697 5c5b1b-5c5b22 1696->1697 1697->1672 1698 5c5b24-5c5b26 1697->1698 1698->1675
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5205
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C52C6
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C53C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoNetSSL.dll$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update poco netssl dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoNetSSL.dll$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-530629532
                                                                            • Opcode ID: cf05ac0671ea9879d9662d32b3315ef7cdb751f01206da34d3adb7bfb3e02598
                                                                            • Instruction ID: 2fc53569d96edfd56883f32d772159f40c8a820709576ab335bfcd17fe7c4b4d
                                                                            • Opcode Fuzzy Hash: cf05ac0671ea9879d9662d32b3315ef7cdb751f01206da34d3adb7bfb3e02598
                                                                            • Instruction Fuzzy Hash: 5622A170D04248DEEF14DFE8D849BEE7FB4BB05304F604489E4516B282E775AA85CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C535E Relevance: 42.4, APIs: 8, Strings: 16, Instructions: 437fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1699 5c535e-5c53ca call 5b4f90 * 2 _stat64i32 1705 5c546a-5c5490 CopyFileA 1699->1705 1706 5c53d0-5c53ef 1699->1706 1707 5c5499-5c549f 1705->1707 1708 5c53f5 1706->1708 1709 5c53f1-5c53f3 1706->1709 1711 5c54ab-5c54c3 1707->1711 1712 5c54a1-5c54a6 call 5b4770 1707->1712 1710 5c53f7-5c5430 call 5b4370 1708->1710 1709->1710 1720 5c5436 1710->1720 1721 5c5432-5c5434 1710->1721 1715 5c54cf-5c5588 call 5b4f90 * 2 _stat64i32 1711->1715 1716 5c54c5-5c54ca call 5b4770 1711->1716 1712->1711 1729 5c558e-5c55ad 1715->1729 1730 5c5628-5c564e CopyFileA 1715->1730 1716->1715 1723 5c5438-5c5456 call 5b4370 call 5c4010 1720->1723 1721->1723 1736 5c5458-5c5467 call 5b2620 1723->1736 1737 5c5492 1723->1737 1733 5c55af-5c55b1 1729->1733 1734 5c55b3 1729->1734 1735 5c5657-5c565d 1730->1735 1738 5c55b5-5c55ee call 5b4370 1733->1738 1734->1738 1739 5c565f-5c5664 call 5b4770 1735->1739 1740 5c5669-5c5681 1735->1740 1736->1705 1737->1707 1750 5c55f4 1738->1750 1751 5c55f0-5c55f2 1738->1751 1739->1740 1744 5c568d-5c5746 call 5b4f90 * 2 _stat64i32 1740->1744 1745 5c5683-5c5688 call 5b4770 1740->1745 1759 5c574c-5c576b 1744->1759 1760 5c57e6-5c580c CopyFileA 1744->1760 1745->1744 1753 5c55f6-5c5614 call 5b4370 call 5c4010 1750->1753 1751->1753 1769 5c5616-5c5625 call 5b2620 1753->1769 1770 5c5650 1753->1770 1762 5c576d-5c576f 1759->1762 1763 5c5771 1759->1763 1764 5c5815-5c581b 1760->1764 1766 5c5773-5c57ac call 5b4370 1762->1766 1763->1766 1767 5c581d-5c5822 call 5b4770 1764->1767 1768 5c5827-5c583f 1764->1768 1781 5c57ae-5c57b0 1766->1781 1782 5c57b2 1766->1782 1767->1768 1774 5c584b-5c5904 call 5b4f90 * 2 _stat64i32 1768->1774 1775 5c5841-5c5846 call 5b4770 1768->1775 1769->1730 1770->1735 1789 5c592d-5c5958 1774->1789 1790 5c5906-5c5928 CopyFileA 1774->1790 1775->1774 1784 5c57b4-5c57d2 call 5b4370 call 5c4010 1781->1784 1782->1784 1799 5c580e 1784->1799 1800 5c57d4-5c57e3 call 5b2620 1784->1800 1792 5c595e 1789->1792 1793 5c595a-5c595c 1789->1793 1794 5c59da-5c59e6 1790->1794 1796 5c5960-5c5999 call 5b4370 1792->1796 1793->1796 1797 5c59e8-5c59ed call 5b4770 1794->1797 1798 5c59f2-5c5a0a 1794->1798 1811 5c599f 1796->1811 1812 5c599b-5c599d 1796->1812 1797->1798 1803 5c5a0c-5c5a16 call 5b4770 1798->1803 1804 5c5a68-5c5adf call 5b2620 * 2 1798->1804 1799->1764 1800->1760 1803->1804 1818 5c5b28 1804->1818 1819 5c5ae1-5c5ae8 1804->1819 1815 5c59a1-5c59bf call 5b4370 call 5c4010 1811->1815 1812->1815 1831 5c59d8 1815->1831 1832 5c59c1-5c59d3 call 5b2620 1815->1832 1821 5c5b2a-5c5b30 1818->1821 1819->1818 1822 5c5aea-5c5af1 1819->1822 1826 5c5b3c-5c5b54 1821->1826 1827 5c5b32-5c5b37 call 5b4770 1821->1827 1822->1818 1824 5c5af3-5c5afa 1822->1824 1824->1818 1830 5c5afc-5c5b03 1824->1830 1828 5c5b56-5c5b5b call 5b4770 1826->1828 1829 5c5b60-5c5bb7 call 5ce02b 1826->1829 1827->1826 1828->1829 1830->1818 1836 5c5b05-5c5b0c 1830->1836 1831->1794 1832->1790 1836->1818 1839 5c5b0e-5c5b15 1836->1839 1839->1818 1842 5c5b17-5c5b19 1839->1842 1842->1818 1843 5c5b1b-5c5b22 1842->1843 1843->1818 1844 5c5b24-5c5b26 1843->1844 1844->1821
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C53C3
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5484
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5581
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoUtil.dll$PocoXML.dll$Update libcrypto dll$Update poco util dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoUtil.dll$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-412040896
                                                                            • Opcode ID: 5323dbb57c46f0dff51c1b47ffb9d0cb5f541148d14e57b8464d42da5fa654f0
                                                                            • Instruction ID: b10844c10e6cff21ea0b6add07d45ade5554dafaf543d1a4bf8ff52cafb4c653
                                                                            • Opcode Fuzzy Hash: 5323dbb57c46f0dff51c1b47ffb9d0cb5f541148d14e57b8464d42da5fa654f0
                                                                            • Instruction Fuzzy Hash: FE029070D04249DEEF14DFE8D849BEEBFB4BB05304F604489E45167282E775AA85CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1510 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 221stringserviceCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1845 5c1510-5c1554 call 5bd1a0 1848 5c15ae 1845->1848 1849 5c1556-5c1571 call 5b2620 1845->1849 1851 5c15b2-5c15b8 1848->1851 1854 5c1576-5c158f OpenSCManagerW 1849->1854 1852 5c15ba-5c15bf call 5b4770 1851->1852 1853 5c15c4-5c15dc 1851->1853 1852->1853 1856 5c15de-5c15e3 call 5b4770 1853->1856 1857 5c15e8-5c1600 1853->1857 1858 5c162c-5c1649 OpenServiceA 1854->1858 1859 5c1595-5c15ab GetLastError call 5b2590 1854->1859 1856->1857 1861 5c160c-5c1629 call 5ce02b 1857->1861 1862 5c1602-5c1607 call 5b4770 1857->1862 1863 5c164b-5c166b GetLastError call 5b2590 CloseServiceHandle 1858->1863 1864 5c1670-5c1739 ChangeServiceConfig2W call 5ce087 * 3 1858->1864 1859->1848 1862->1861 1863->1848 1878 5c173b-5c1740 1864->1878 1879 5c1742 1864->1879 1880 5c1747-5c1750 lstrcpyW 1878->1880 1879->1880 1881 5c1775-5c177d lstrcpyW 1880->1881 1882 5c1752-5c1761 call 5b7070 1880->1882 1883 5c177f-5c1783 1881->1883 1890 5c1765-5c1773 lstrcpyW call 5b3e90 1882->1890 1891 5c1763 1882->1891 1885 5c17a8-5c17b0 lstrcpyW 1883->1885 1886 5c1785-5c1794 call 5b7070 1883->1886 1889 5c17b2-5c17c6 StartServiceW 1885->1889 1896 5c1798-5c17a6 lstrcpyW call 5b3e90 1886->1896 1897 5c1796 1886->1897 1893 5c17c8-5c17de GetLastError call 5b2590 1889->1893 1894 5c17e1-5c1811 CloseServiceHandle * 2 call 5ce03c * 3 1889->1894 1890->1883 1891->1890 1893->1894 1894->1851 1896->1889 1897->1896
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F0001,00000004,3A04C82C,00000000,00000000), ref: 005C1582
                                                                            • lstrcpyW.KERNEL32(?,NoPath), ref: 005C177D
                                                                            • lstrcpyW.KERNEL32(?,NoPath), ref: 005C17B0
                                                                            • StartServiceW.ADVAPI32(?,00000003,00000000), ref: 005C17BC
                                                                            • GetLastError.KERNEL32 ref: 005C17C8
                                                                            • GetLastError.KERNEL32 ref: 005C1595
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • OpenServiceA.ADVAPI32(00000000,?,A0000012), ref: 005C163E
                                                                            • GetLastError.KERNEL32 ref: 005C164B
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1665
                                                                            • ChangeServiceConfig2W.ADVAPI32 ref: 005C16C9
                                                                            • lstrcpyW.KERNEL32(?,HideForm), ref: 005C174A
                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 005C1769
                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 005C179C
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 005C17E8
                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 005C17ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$lstrcpy$CloseErrorHandleLast$Open$ChangeConfig2ManagerStart
                                                                            • String ID: Cannot open OpenSCManager error code %d$Cannot open service, error code: %d$Failed to start the service, error code: %d$HideForm$Launching service: %s, showdialog: %d$NoPath$ShowForm$stealth_manager
                                                                            • API String ID: 4158861149-887355719
                                                                            • Opcode ID: 6303a06d021554b4b9ad437db98e1fe8718d5967ae636bb7f772e069440ad04d
                                                                            • Instruction ID: 74d4fcc99a9b1ef28ffd0a9098eb70b5b06d6834f7a62033afcf5b1ca687e5f0
                                                                            • Opcode Fuzzy Hash: 6303a06d021554b4b9ad437db98e1fe8718d5967ae636bb7f772e069440ad04d
                                                                            • Instruction Fuzzy Hash: 16914B70D01209AFDB21EF94DC4ABAEBFB5FF45304F10405AE811AB292D7B56A45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4510 Relevance: 38.8, APIs: 1, Strings: 21, Instructions: 324COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1909 5c4510-5c4592 call 5b2620 call 5b4f90 call 5b6350 call 5b4f40 1918 5c459e-5c45ba 1909->1918 1919 5c4594-5c4599 call 5b4770 1909->1919 1921 5c45bc-5c45c1 call 5b4770 1918->1921 1922 5c45c6-5c4604 call 5b4f90 GetFileAttributesA 1918->1922 1919->1918 1921->1922 1926 5c460a-5c460c 1922->1926 1927 5c4944 1922->1927 1926->1927 1929 5c4612-5c48ee call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b4270 call 5c4110 call 5b2620 * 3 1926->1929 1928 5c4946-5c494c 1927->1928 1931 5c494e-5c4953 call 5b4770 1928->1931 1932 5c4958-5c4970 1928->1932 1999 5c48f3-5c48f8 1929->1999 1931->1932 1933 5c497c-5c4998 call 5ce02b 1932->1933 1934 5c4972-5c4977 call 5b4770 1932->1934 1934->1933 2000 5c48fa-5c48fe 1999->2000 2001 5c4940-5c4942 1999->2001 2000->2001 2002 5c4900-5c4904 2000->2002 2001->1928 2002->2001 2003 5c4906-5c490a 2002->2003 2003->2001 2004 5c490c-5c4910 2003->2004 2004->2001 2005 5c4912-5c4916 2004->2005 2005->2001 2006 5c4918-5c491c 2005->2006 2006->2001 2007 5c491e-5c4922 2006->2007 2007->2001 2008 5c4924-5c4928 2007->2008 2008->2001 2009 5c492a-5c492e 2008->2009 2009->2001 2010 5c4930-5c4934 2009->2010 2010->2001 2011 5c4936-5c493a 2010->2011 2011->2001 2012 5c493c-5c493e 2011->2012 2012->1927 2012->2001
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,3A04C82C,00000000), ref: 005C45FB
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                              • Part of subcall function 005C4110: _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 005C4263
                                                                              • Part of subcall function 005C4110: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C428E
                                                                              • Part of subcall function 005B4270: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B42E3
                                                                              • Part of subcall function 005B4270: memmove.VCRUNTIME140(?,00000000,0000023A,?,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B4337
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$File$AttributesCopyXlength_error@std@@_stat64i32memmove
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::checkAndUpdateNetFilterSDK2$ProtocolFilters.dll$libprotobuf-lite.dll$libs\$nfdrive 1 : [%d][%d][%d][%d][%d][%d][%d][%d][%d][%d]$nfdrive 2 : [%d][%d][%d][%d]$nss\certutil.exe$nss\freebl3.dll$nss\libnspr4.dll$nss\libplc4.dll$nss\libplds4.dll$nss\nss3.dll$nss\nssckbi.dll$nss\nssdbm3.dll$nss\nssutil3.dll$nss\smime3.dll$nss\softokn3.dll$nss\sqlite3.dll$stealth_manager
                                                                            • API String ID: 1857767709-241988061
                                                                            • Opcode ID: a09aa7eb80cd87b7091d6cd1be8a37a927afe019fa0beef7ba0e7127e08f9971
                                                                            • Instruction ID: 568479cd152eeabea1abb93463b887f648d0cf9719017e2ba1a021066b72af02
                                                                            • Opcode Fuzzy Hash: a09aa7eb80cd87b7091d6cd1be8a37a927afe019fa0beef7ba0e7127e08f9971
                                                                            • Instruction Fuzzy Hash: 66C16870A05295AEDB35ABF8D81ABEE7E717B52304F24008DE4402B2D3C7B65549DF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C2F50 Relevance: 35.8, APIs: 12, Strings: 8, Instructions: 768fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2042 5c2f50-5c2fd5 call 5b2620 call 5b4f90 call 5b6350 call 5b4f40 2051 5c2fd7-5c2fdc call 5b4770 2042->2051 2052 5c2fe1-5c2ffd 2042->2052 2051->2052 2054 5c2fff-5c3004 call 5b4770 2052->2054 2055 5c3009-5c3047 call 5b4f90 GetFileAttributesA 2052->2055 2054->2055 2059 5c304d-5c304f 2055->2059 2060 5c3a74-5c3a7a 2055->2060 2059->2060 2061 5c3055-5c30a6 call 5b2620 call 5b6380 _stat64i32 2059->2061 2062 5c3a7c-5c3a81 call 5b4770 2060->2062 2063 5c3a86-5c3a9e 2060->2063 2074 5c30ac-5c30f0 call 5b6380 2061->2074 2075 5c316b-5c31a5 call 5b6380 _stat64i32 2061->2075 2062->2063 2066 5c3aaa-5c3ac4 call 5ce02b 2063->2066 2067 5c3aa0-5c3aa5 call 5b4770 2063->2067 2067->2066 2080 5c30f6 2074->2080 2081 5c30f2-5c30f4 2074->2081 2082 5c326a-5c32a4 call 5b6380 _stat64i32 2075->2082 2083 5c31ab-5c31ef call 5b6380 2075->2083 2084 5c30f8-5c3134 call 5b4370 2080->2084 2081->2084 2093 5c3369-5c33a3 call 5b6380 _stat64i32 2082->2093 2094 5c32aa-5c32ee call 5b6380 2082->2094 2091 5c31f5 2083->2091 2092 5c31f1-5c31f3 2083->2092 2095 5c313a 2084->2095 2096 5c3136-5c3138 2084->2096 2097 5c31f7-5c3233 call 5b4370 2091->2097 2092->2097 2108 5c3468-5c34a2 call 5b6380 _stat64i32 2093->2108 2109 5c33a9-5c33ed call 5b6380 2093->2109 2106 5c32f4 2094->2106 2107 5c32f0-5c32f2 2094->2107 2101 5c313c-5c3150 call 5b4370 call 5c3e00 2095->2101 2096->2101 2111 5c3239 2097->2111 2112 5c3235-5c3237 2097->2112 2121 5c3155-5c315f 2101->2121 2113 5c32f6-5c3332 call 5b4370 2106->2113 2107->2113 2126 5c34a8-5c34ec call 5b6380 2108->2126 2127 5c3567-5c35a1 call 5b6380 _stat64i32 2108->2127 2124 5c33ef-5c33f1 2109->2124 2125 5c33f3 2109->2125 2117 5c323b-5c324f call 5b4370 call 5c3e00 2111->2117 2112->2117 2130 5c3338 2113->2130 2131 5c3334-5c3336 2113->2131 2141 5c3254-5c325e 2117->2141 2121->2075 2128 5c3161-5c3166 call 5b4770 2121->2128 2132 5c33f5-5c3431 call 5b4370 2124->2132 2125->2132 2144 5c34ee-5c34f0 2126->2144 2145 5c34f2 2126->2145 2146 5c3666-5c369d call 5b6380 _stat64i32 2127->2146 2147 5c35a7-5c35eb call 5b6380 2127->2147 2128->2075 2137 5c333a-5c334e call 5b4370 call 5c3e00 2130->2137 2131->2137 2150 5c3437 2132->2150 2151 5c3433-5c3435 2132->2151 2161 5c3353-5c335d 2137->2161 2141->2082 2148 5c3260-5c3265 call 5b4770 2141->2148 2152 5c34f4-5c3530 call 5b4370 2144->2152 2145->2152 2166 5c370e-5c3712 2146->2166 2167 5c369f-5c36f0 call 5b6380 CopyFileA call 5b2620 2146->2167 2164 5c35ed-5c35ef 2147->2164 2165 5c35f1 2147->2165 2148->2082 2157 5c3439-5c344d call 5b4370 call 5c3e00 2150->2157 2151->2157 2172 5c3536 2152->2172 2173 5c3532-5c3534 2152->2173 2188 5c3452-5c345c 2157->2188 2161->2093 2170 5c335f-5c3364 call 5b4770 2161->2170 2174 5c35f3-5c362f call 5b4370 2164->2174 2165->2174 2168 5c3718-5c3746 call 5b6380 _stat64i32 2166->2168 2169 5c37c3-5c37fd call 5b6380 _stat64i32 2166->2169 2193 5c36f5-5c3702 2167->2193 2196 5c37ad-5c37b7 2168->2196 2197 5c3748-5c3793 call 5b6380 CopyFileA call 5b2620 2168->2197 2194 5c38ce-5c38dd call 5b2620 2169->2194 2195 5c3803-5c384a call 5b6380 2169->2195 2170->2093 2180 5c3538-5c354c call 5b4370 call 5c3e00 2172->2180 2173->2180 2191 5c3635 2174->2191 2192 5c3631-5c3633 2174->2192 2207 5c3551-5c355b 2180->2207 2188->2108 2189 5c345e-5c3463 call 5b4770 2188->2189 2189->2108 2201 5c3637-5c365a call 5b4370 call 5c3e00 2191->2201 2192->2201 2193->2166 2202 5c3704-5c3709 call 5b4770 2193->2202 2211 5c38e2-5c38ee 2194->2211 2215 5c384c-5c384e 2195->2215 2216 5c3850 2195->2216 2196->2169 2198 5c37b9-5c37be call 5b4770 2196->2198 2226 5c3798-5c37a1 2197->2226 2198->2169 2201->2146 2236 5c365c-5c3661 call 5b4770 2201->2236 2202->2166 2207->2127 2213 5c355d-5c3562 call 5b4770 2207->2213 2217 5c38fd-5c391e 2211->2217 2218 5c38f0-5c38f8 call 5b4770 2211->2218 2213->2127 2222 5c3852-5c388e call 5b4370 2215->2222 2216->2222 2224 5c392d-5c394b 2217->2224 2225 5c3920-5c3928 call 5b4770 2217->2225 2218->2217 2243 5c3894 2222->2243 2244 5c3890-5c3892 2222->2244 2231 5c394d-5c3955 call 5b4770 2224->2231 2232 5c395a-5c397e 2224->2232 2225->2224 2226->2196 2230 5c37a3-5c37a8 call 5b4770 2226->2230 2230->2196 2231->2232 2234 5c398d-5c39b1 2232->2234 2235 5c3980-5c3988 call 5b4770 2232->2235 2240 5c39c0-5c39e4 2234->2240 2241 5c39b3-5c39bb call 5b4770 2234->2241 2235->2234 2236->2146 2246 5c39e6-5c39ee call 5b4770 2240->2246 2247 5c39f3-5c3a17 2240->2247 2241->2240 2248 5c3896-5c38ad call 5b4370 call 5c3e00 2243->2248 2244->2248 2246->2247 2251 5c3a19-5c3a21 call 5b4770 2247->2251 2252 5c3a26-5c3a4a 2247->2252 2259 5c38b2-5c38bf 2248->2259 2251->2252 2255 5c3a4c-5c3a54 call 5b4770 2252->2255 2256 5c3a59-5c3a6d 2252->2256 2255->2256 2256->2060 2259->2194 2260 5c38c1-5c38c9 call 5b4770 2259->2260 2260->2194
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,3A04C82C,00000000), ref: 005C303E
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA10), ref: 005C319E
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEAD0), ref: 005C329D
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEB18), ref: 005C339C
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DE9B0), ref: 005C359A
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA58), ref: 005C3696
                                                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 005C36D6
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,005DEB90), ref: 005C373F
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C3779
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA88), ref: 005C37F6
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA40), ref: 005C349B
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B438A
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B43AB
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEBA8,stealth_manager,flag delete : %d,00000000,?,?,?,?,3A04C82C,00000000), ref: 005C309F
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$_invalid_parameter_noinfo_noreturn$File$CopyXout_of_range@std@@$Attributes
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::checkAndUpdateNewBinary$copy hookDll32 : %d$copy hookDll64 : %d$flag delete : %d$stealth_manager$temp\
                                                                            • API String ID: 3183754490-2088693739
                                                                            • Opcode ID: 631432ecae668c9b02241b331e7a7a865f556c6c1e4656a41ea8617db1ab603c
                                                                            • Instruction ID: d7c7d8caaa973e0f9699d4ab8d4f11e1fce8c490f95441c9a95614634e162d9e
                                                                            • Opcode Fuzzy Hash: 631432ecae668c9b02241b331e7a7a865f556c6c1e4656a41ea8617db1ab603c
                                                                            • Instruction Fuzzy Hash: 5D624F70900249DEEF14DF98CC49BEE7FB5BB01304F604599E0456B292D7B5AB8ACFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B55B0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 386fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2487 5b55b0-5b5600 call 5ceee0 2490 5b5606-5b560a 2487->2490 2491 5b560c-5b560e 2490->2491 2492 5b5626-5b5628 2490->2492 2494 5b5622-5b5624 2491->2494 2495 5b5610-5b5616 2491->2495 2493 5b562b-5b562d 2492->2493 2496 5b5633-5b563a 2493->2496 2497 5b5b34-5b5b4f call 5ce02b 2493->2497 2494->2493 2495->2492 2498 5b5618-5b5620 2495->2498 2500 5b5640-5b5644 2496->2500 2498->2490 2498->2494 2502 5b5660-5b5662 2500->2502 2503 5b5646-5b5648 2500->2503 2506 5b5665-5b5667 2502->2506 2504 5b564a-5b5650 2503->2504 2505 5b565c-5b565e 2503->2505 2504->2502 2507 5b5652-5b565a 2504->2507 2505->2506 2506->2497 2508 5b566d-5b5671 2506->2508 2507->2500 2507->2505 2508->2497 2509 5b5677-5b567e 2508->2509 2510 5b5680-5b5682 2509->2510 2511 5b5684 2509->2511 2512 5b5686-5b569b _stat64i32 2510->2512 2511->2512 2513 5b586e-5b5872 2512->2513 2514 5b56a1-5b56ab 2512->2514 2515 5b5878 2513->2515 2516 5b5874-5b5876 2513->2516 2514->2513 2517 5b56b1-5b56ee call 5b4370 2514->2517 2519 5b587a-5b5889 _stat64i32 2515->2519 2516->2519 2525 5b571b-5b5767 call 5b5b60 call 5b45b0 call 5b3f70 GetFileAttributesA 2517->2525 2526 5b56f0-5b5709 2517->2526 2521 5b588f-5b5896 2519->2521 2522 5b59d2-5b59d6 2519->2522 2523 5b5898-5b589c 2521->2523 2524 5b58ad-5b58b1 2521->2524 2527 5b59da-5b59ed fopen 2522->2527 2528 5b59d8 2522->2528 2529 5b589e-5b58a0 2523->2529 2530 5b58a2 2523->2530 2524->2522 2533 5b58b7-5b58ce call 5b4090 2524->2533 2559 5b5769-5b576b 2525->2559 2560 5b576d-5b5781 call 5ba760 2525->2560 2526->2525 2531 5b570b-5b5716 call 5b3f30 2526->2531 2527->2497 2534 5b59f3-5b5a91 GetModuleFileNameW _wsplitpath_s wcscat_s call 5b3ed0 call 5b6f70 call 5b8210 2527->2534 2528->2527 2535 5b58a4-5b58ab call 5ba740 2529->2535 2530->2535 2531->2525 2546 5b5901-5b594a call 5b5b60 call 5b45b0 call 5b3f70 call 5ba740 2533->2546 2547 5b58d0-5b58ef 2533->2547 2562 5b5a93 2534->2562 2563 5b5a95-5b5a99 2534->2563 2535->2524 2535->2533 2582 5b594c-5b5960 call 5ba760 2546->2582 2583 5b5965-5b59b5 call 5b3f30 call 5b6380 call 5b6350 call 5b60c0 call 5b3f70 2546->2583 2547->2546 2550 5b58f1-5b58fc call 5b3f30 2547->2550 2550->2546 2559->2560 2564 5b5786-5b579a call 5b3f30 2559->2564 2560->2564 2562->2563 2568 5b5a9b 2563->2568 2569 5b5a9d-5b5b0a GetCurrentProcessId call 5b5150 call 5b3f70 * 2 call 5b3e90 2563->2569 2573 5b579c-5b579e 2564->2573 2574 5b57a0 2564->2574 2568->2569 2606 5b5b10-5b5b15 2569->2606 2577 5b57a2-5b57b5 fopen 2573->2577 2574->2577 2580 5b581c-5b5869 call 5b5bf0 call 5b6380 call 5b6350 call 5b60c0 call 5b3f70 2577->2580 2581 5b57b7-5b57c6 call 5b8210 2577->2581 2622 5b59bb-5b59cd call 5b3f70 * 2 2580->2622 2595 5b57ca-5b57f5 call 5b5150 call 5b3f70 2581->2595 2596 5b57c8 2581->2596 2582->2583 2583->2622 2616 5b57f8-5b57fd 2595->2616 2596->2595 2606->2606 2610 5b5b17-5b5b31 fwrite fclose 2606->2610 2610->2497 2616->2616 2619 5b57ff-5b5819 fwrite fclose 2616->2619 2619->2580 2622->2522
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,3A04C82C,?,?,?,?,005CF878,000000FF), ref: 005B5694
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,000000FF), ref: 005B575E
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,005D37AC), ref: 005B57A8
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000), ref: 005B580C
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 005B5813
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,000000FF), ref: 005B5882
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,005D37AC,?,?,?,?,?,000000FF), ref: 005B59E0
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 005B5A01
                                                                            • _wsplitpath_s.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,00000000,00000000,00000000,?,00000104,?,00000100), ref: 005B5A2E
                                                                            • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000105,?), ref: 005B5A47
                                                                            • GetCurrentProcessId.KERNEL32(DEBUG,?), ref: 005B5ABE
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000,?,?,?,?,?,?,?,?,?), ref: 005B5B24
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 005B5B2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: File_stat64i32fclosefopenfwrite$AttributesCurrentModuleNameProcess_wsplitpath_swcscat_s
                                                                            • String ID: %s Continue on next file -->$%s %s [%d] <%s> [%s]: %s$DEBUG$ERROR$windows_hook_helper$windows_hook_manager
                                                                            • API String ID: 3352214153-4226532283
                                                                            • Opcode ID: cb75af55a168257b9d1cd4b822b30228bd17606e88440aca052e7dca09c8df14
                                                                            • Instruction ID: 8144ffb10068f0053a7965a75657e390002454ebfff5d584f13cf555d953733d
                                                                            • Opcode Fuzzy Hash: cb75af55a168257b9d1cd4b822b30228bd17606e88440aca052e7dca09c8df14
                                                                            • Instruction Fuzzy Hash: 78F19070910159DBDF28DF54CC99BE9BBB9BF54300F5401DAE40A67182EB71AB88CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C551C Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 338fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2626 5c551c-5c5588 call 5b4f90 * 2 _stat64i32 2632 5c558e-5c55ad 2626->2632 2633 5c5628-5c564e CopyFileA 2626->2633 2634 5c55af-5c55b1 2632->2634 2635 5c55b3 2632->2635 2636 5c5657-5c565d 2633->2636 2637 5c55b5-5c55ee call 5b4370 2634->2637 2635->2637 2638 5c565f-5c5664 call 5b4770 2636->2638 2639 5c5669-5c5681 2636->2639 2647 5c55f4 2637->2647 2648 5c55f0-5c55f2 2637->2648 2638->2639 2642 5c568d-5c5746 call 5b4f90 * 2 _stat64i32 2639->2642 2643 5c5683-5c5688 call 5b4770 2639->2643 2656 5c574c-5c576b 2642->2656 2657 5c57e6-5c580c CopyFileA 2642->2657 2643->2642 2650 5c55f6-5c5614 call 5b4370 call 5c4010 2647->2650 2648->2650 2666 5c5616-5c5625 call 5b2620 2650->2666 2667 5c5650 2650->2667 2659 5c576d-5c576f 2656->2659 2660 5c5771 2656->2660 2661 5c5815-5c581b 2657->2661 2663 5c5773-5c57ac call 5b4370 2659->2663 2660->2663 2664 5c581d-5c5822 call 5b4770 2661->2664 2665 5c5827-5c583f 2661->2665 2678 5c57ae-5c57b0 2663->2678 2679 5c57b2 2663->2679 2664->2665 2671 5c584b-5c5904 call 5b4f90 * 2 _stat64i32 2665->2671 2672 5c5841-5c5846 call 5b4770 2665->2672 2666->2633 2667->2636 2686 5c592d-5c5958 2671->2686 2687 5c5906-5c5928 CopyFileA 2671->2687 2672->2671 2681 5c57b4-5c57d2 call 5b4370 call 5c4010 2678->2681 2679->2681 2696 5c580e 2681->2696 2697 5c57d4-5c57e3 call 5b2620 2681->2697 2689 5c595e 2686->2689 2690 5c595a-5c595c 2686->2690 2691 5c59da-5c59e6 2687->2691 2693 5c5960-5c5999 call 5b4370 2689->2693 2690->2693 2694 5c59e8-5c59ed call 5b4770 2691->2694 2695 5c59f2-5c5a0a 2691->2695 2708 5c599f 2693->2708 2709 5c599b-5c599d 2693->2709 2694->2695 2700 5c5a0c-5c5a16 call 5b4770 2695->2700 2701 5c5a68-5c5adf call 5b2620 * 2 2695->2701 2696->2661 2697->2657 2700->2701 2715 5c5b28 2701->2715 2716 5c5ae1-5c5ae8 2701->2716 2712 5c59a1-5c59bf call 5b4370 call 5c4010 2708->2712 2709->2712 2728 5c59d8 2712->2728 2729 5c59c1-5c59d3 call 5b2620 2712->2729 2718 5c5b2a-5c5b30 2715->2718 2716->2715 2719 5c5aea-5c5af1 2716->2719 2723 5c5b3c-5c5b54 2718->2723 2724 5c5b32-5c5b37 call 5b4770 2718->2724 2719->2715 2721 5c5af3-5c5afa 2719->2721 2721->2715 2727 5c5afc-5c5b03 2721->2727 2725 5c5b56-5c5b5b call 5b4770 2723->2725 2726 5c5b60-5c5bb7 call 5ce02b 2723->2726 2724->2723 2725->2726 2727->2715 2733 5c5b05-5c5b0c 2727->2733 2728->2691 2729->2687 2733->2715 2736 5c5b0e-5c5b15 2733->2736 2736->2715 2739 5c5b17-5c5b19 2736->2739 2739->2715 2740 5c5b1b-5c5b22 2739->2740 2740->2715 2741 5c5b24-5c5b26 2740->2741 2741->2718
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C5581
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5642
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C573F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _stat64i32$CopyFile
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$PocoXML.dll$Update libcrypto dll$Update poco xml dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\PocoXML.dll$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 3823094038-3867193674
                                                                            • Opcode ID: 7bba6a2c9dae26728892b53859552500800a7e8c39386c5e88f69129b0e75ace
                                                                            • Instruction ID: 05d1c3feba4be9cbd62f546b85f6c1bce284c69777d50a1fd7e43c78894e1166
                                                                            • Opcode Fuzzy Hash: 7bba6a2c9dae26728892b53859552500800a7e8c39386c5e88f69129b0e75ace
                                                                            • Instruction Fuzzy Hash: 1BD19070D04348DEEF15CBE8D849BEEBFB4BB05304F644489E45167282E775AA85CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C2680 Relevance: 32.1, APIs: 12, Strings: 6, Instructions: 587fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 005C2785
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA40), ref: 005C28F1
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,nt_system_service.exe), ref: 005C29FC
                                                                            • CopyFileA.KERNEL32(?,?,005DEA10), ref: 005C2AFB
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C2B85
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEBA8), ref: 005C2BC4
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C2C48
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEA58), ref: 005C2C93
                                                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 005C2CE9
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEB90), ref: 005C2D54
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C2D9A
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEB18,stealth_manager,flag delete : %d,00000000,?,00000000,00000000), ref: 005C27E6
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: File_stat64i32$Copy$_invalid_parameter_noinfo_noreturn$Attributes
                                                                            • String ID: copy hookDll32 : %d$copy hookDll64 : %d$flag delete : %d$nt_system_service.exe$stealth_manager$temp\
                                                                            • API String ID: 468188498-3430577748
                                                                            • Opcode ID: 587b5a84c31659bd94bf566e74ba5c53ab769890380e23504fb38b9f29ff3bae
                                                                            • Instruction ID: 9eeef70cfe5eab4a0535e70d5a3500adb1f8014d4d4047b3afc7a23de63c986b
                                                                            • Opcode Fuzzy Hash: 587b5a84c31659bd94bf566e74ba5c53ab769890380e23504fb38b9f29ff3bae
                                                                            • Instruction Fuzzy Hash: AB428170900249DEEF24DBA8CC49BED7FB5FB11304F504499E045AB192DBB5AE89CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C76C0 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 298registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                              • Part of subcall function 005B5120: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000014,00000000,?,?,005B5BA1,?,00000014,%04d-%02d,?,?), ref: 005B513D
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,0000000F,00000000,00000001,?,?), ref: 005C7765
                                                                            • RegOpenKeyExW.KERNELBASE(00000007,?,00000000,00000201,00000000,3A04C82C,750292F0,00000000,00000000), ref: 005C77DA
                                                                            • GetLastError.KERNEL32 ref: 005C77F4
                                                                            • GetLastError.KERNEL32 ref: 005C7809
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,0000000F,00000000,00000001), ref: 005C7870
                                                                            • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000), ref: 005C7899
                                                                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000), ref: 005C78D5
                                                                            • GetLastError.KERNEL32(?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C78E1
                                                                            • GetLastError.KERNEL32(?,?,?,?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C78F6
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,0000000F,00000000,LoadRepo: RegQueryValueEx failed (%d),00000000,?,?,?,?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C7930
                                                                            • memmove.VCRUNTIME140(00000000,?,?,00000000,LoadRepo: RegQueryValueEx failed (%d),00000000,?,?,?,?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C79BB
                                                                            • new.LIBCMT ref: 005C79C2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$ExceptionThrow$QueryValue$Open__stdio_common_vsprintf_smemmove
                                                                            • String ID: LoadRepo: Invalid Registry Size$LoadRepo: RegOpenKey failed (%d)$LoadRepo: RegQueryValueEx failed (%d)$stealth_manager
                                                                            • API String ID: 667390599-1403936554
                                                                            • Opcode ID: 3086c0b72b2e577b0df31e920d5d1c2204a5951012c85405e7fb95092bce861e
                                                                            • Instruction ID: 10c6f3146a7a4984d61945c8ddf94642cd76cf9259324bac072fd61b044a4006
                                                                            • Opcode Fuzzy Hash: 3086c0b72b2e577b0df31e920d5d1c2204a5951012c85405e7fb95092bce861e
                                                                            • Instruction Fuzzy Hash: 40B14471904219AFDF24DFA4CC4AFDA7FB8FB49700F00459AE509AB681DB71AA44CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C7770 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 227registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(00000007,?,00000000,00000201,00000000,3A04C82C,750292F0,00000000,00000000), ref: 005C77DA
                                                                            • GetLastError.KERNEL32 ref: 005C77F4
                                                                            • GetLastError.KERNEL32 ref: 005C7809
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,0000000F,00000000,00000001), ref: 005C7870
                                                                            • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000), ref: 005C7899
                                                                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000), ref: 005C78D5
                                                                            • GetLastError.KERNEL32(?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C78E1
                                                                            • GetLastError.KERNEL32(?,?,?,?,LoadRepo: RegOpenKey failed (%d),00000000), ref: 005C78F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$QueryValue$ExceptionOpenThrow
                                                                            • String ID: LoadRepo: RegOpenKey failed (%d)$LoadRepo: RegQueryValueEx failed (%d)$stealth_manager
                                                                            • API String ID: 698041737-4132295493
                                                                            • Opcode ID: 03a5ee3bb3a66e8701fa651a8127941249a831f2b8e9d1bbc1588a162e1a49ac
                                                                            • Instruction ID: c477ba1bee3628d4c8dca0db640b10d489bcff5ab749a5cbca434410a0a460e1
                                                                            • Opcode Fuzzy Hash: 03a5ee3bb3a66e8701fa651a8127941249a831f2b8e9d1bbc1588a162e1a49ac
                                                                            • Instruction Fuzzy Hash: FA812371905219AFDB20DFA4CC4AFDABFB8FB48700F00459AE509AB251DA71AE44CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C0FB0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 123serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F0001,00000000,00000000), ref: 005C1020
                                                                            • OpenServiceA.ADVAPI32(00000000,?,A0000012), ref: 005C1042
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000), ref: 005C10A5
                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 005C10B0
                                                                            • GetLastError.KERNEL32 ref: 005C10C0
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C10E0
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C10E3
                                                                            • GetLastError.KERNEL32 ref: 005C10E7
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1107
                                                                            • GetLastError.KERNEL32 ref: 005C110B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseErrorHandleLast$Open$ChangeConfig2ManagerStart
                                                                            • String ID: Cannot open OpenSCManager error code %d$Cannot open service, error code: %d$Failed to start the service, error code: %d$Launching system service: %s$stealth_manager
                                                                            • API String ID: 845704753-265196682
                                                                            • Opcode ID: 52cd0de63c94157844f1800bd300943bcd526c1ceec62c44d31d4b16bb3f31eb
                                                                            • Instruction ID: 2c1a11b6134f7d6514a6bf7c72cc6a5b84a5cb603482151a74eae26fe7ab780d
                                                                            • Opcode Fuzzy Hash: 52cd0de63c94157844f1800bd300943bcd526c1ceec62c44d31d4b16bb3f31eb
                                                                            • Instruction Fuzzy Hash: E1417F71941209EFDB209BD4DC49BEEBFB8FB09704F14001BE901AB281E7B56949CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C56DA Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 239fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C573F
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5800
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C58FD
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5920
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile_stat64i32
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$Update libcrypto dll$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\libcrypto.dll$\libssl.dll$libcrypto.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 791829690-2389273652
                                                                            • Opcode ID: d667a95afe15ebf041bc5ed060e8843daac8bea85143a418847fcc0599846fb8
                                                                            • Instruction ID: fd78293388f9107137e4b37ed61a3dd3e5e2ef885d9166d6ae75282abdc0b2eb
                                                                            • Opcode Fuzzy Hash: d667a95afe15ebf041bc5ed060e8843daac8bea85143a418847fcc0599846fb8
                                                                            • Instruction Fuzzy Hash: 15A18070D04248DEEF25CBE8DC45BEEBFB4BB05304F64408AE45166292E775AA85CF62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C1CD0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 107serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F0001,750292F0,00000000), ref: 005C1D3E
                                                                            • OpenServiceA.ADVAPI32(00000000,?,A0000000), ref: 005C1D60
                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 005C1D71
                                                                            • GetLastError.KERNEL32 ref: 005C1D7D
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1D9D
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1DA6
                                                                            • GetLastError.KERNEL32 ref: 005C1DAA
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 005C1DCC
                                                                            • GetLastError.KERNEL32 ref: 005C1DD0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseErrorHandleLast$Open$ManagerStart
                                                                            • String ID: Cannot open OpenSCManager error code %d$Cannot open service, error code: %d$Failed to start the service, error code: %d$Launching Update service: %s$stealth_manager
                                                                            • API String ID: 2350709577-1495461891
                                                                            • Opcode ID: dd24fa1e6ec45444d28b74284b6ecb56b654d8092a9cac1aa0ef7248c5cdd241
                                                                            • Instruction ID: 803cfc3b3513a97d553d6d1ae66185c45dd879d094e1d996d4140f1d90b5148f
                                                                            • Opcode Fuzzy Hash: dd24fa1e6ec45444d28b74284b6ecb56b654d8092a9cac1aa0ef7248c5cdd241
                                                                            • Instruction Fuzzy Hash: 0631BB31645609AFD720ABE4DC4AFEE7F78FB59710F14001BF502662D2EB706944CAB6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C3AD0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 227fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,?,3A04C82C,00000000), ref: 005C3BB9
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,3A04C82C,005DEA58,?,3A04C82C,00000000), ref: 005C3BFB
                                                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 005C3C3C
                                                                            • GetLastError.KERNEL32 ref: 005C3C48
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C3CFD
                                                                            • GetLastError.KERNEL32 ref: 005C3D09
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,005DEB90), ref: 005C3CAC
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$File$CopyErrorLast_stat64i32$Attributes
                                                                            • String ID: cp dll 32 : %d, %d$cp dll 64 : %d, %d$cp dll no temp$stealth_manager$temp\
                                                                            • API String ID: 2386109806-900647939
                                                                            • Opcode ID: a9ef8392dec30755193808337caf6068d4ad54802533fcb050ebd0df7cba948e
                                                                            • Instruction ID: bf0aeddfe96a5ba3c857ba92bc8dd27c71d6dd2e9db06804c7dc76c3a7a546dd
                                                                            • Opcode Fuzzy Hash: a9ef8392dec30755193808337caf6068d4ad54802533fcb050ebd0df7cba948e
                                                                            • Instruction Fuzzy Hash: 2B919F70900249DFEB20DBA8CC49BEEBFB5FB15300F94445AE406A7292DB756E49CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B32BF Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$Failed to launch process monitor$Failed to launch startup service$Failed to launch system service$STARTUP GU TYPE : %d$STARTUP SET GU TYPE : %d$Show dialog: %d$lic.dat$post_install
                                                                            • API String ID: 0-3207515809
                                                                            • Opcode ID: 382b5eae1d27f6cdd15b4cbce4ffd6de4f9fe141b2a67b47453bf59dbd5a82f0
                                                                            • Instruction ID: 7ce34399c8f9795380a2da1879326a002b10ae14f3cd1c06c6541a7476745c82
                                                                            • Opcode Fuzzy Hash: 382b5eae1d27f6cdd15b4cbce4ffd6de4f9fe141b2a67b47453bf59dbd5a82f0
                                                                            • Instruction Fuzzy Hash: 92B1A270E002459FEF25AF58D80ABAD7FB5BB41304F204199E4057B393DBB5AB858F92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B3434 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 268COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$Failed to launch process monitor$Failed to launch startup service$Failed to launch system service$STARTUP GU TYPE : %d$STARTUP SET GU TYPE : %d$Show dialog: %d$lic.dat$post_install
                                                                            • API String ID: 0-3207515809
                                                                            • Opcode ID: d8f98148c18b864c6d531e244d351d49e9f9b9e23cb85e6b1b20529e24a1e580
                                                                            • Instruction ID: e88dfb5bb1b2447aa20068a37db429d15b050a924d5cfeb6f901c579ac3f5085
                                                                            • Opcode Fuzzy Hash: d8f98148c18b864c6d531e244d351d49e9f9b9e23cb85e6b1b20529e24a1e580
                                                                            • Instruction Fuzzy Hash: D3B19270E002459FEB25AF58D80ABAD7FB5BB41304F204199E4057B393DBB5AB858F92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B357C Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$Failed to launch process monitor$Failed to launch startup service$Failed to launch system service$STARTUP GU TYPE : %d$STARTUP SET GU TYPE : %d$Show dialog: %d$lic.dat$post_install
                                                                            • API String ID: 0-3207515809
                                                                            • Opcode ID: fa5cab325dac74dde4ac212e1ed2962859213348e564098f587a9be341d60a7a
                                                                            • Instruction ID: cc118e2ba1c8abc1862aedcc7950e1256956893dcea78d2a9cebd4bb1466d5a3
                                                                            • Opcode Fuzzy Hash: fa5cab325dac74dde4ac212e1ed2962859213348e564098f587a9be341d60a7a
                                                                            • Instruction Fuzzy Hash: 8EA19270E002459FEB25AF58D80ABAD7FB5BB41304F204199E4057B393DBB5AF858F92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B52A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,postinstall,0000000B,7'[,?,3A04C82C,?,?), ref: 005B53BA
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C,?,?), ref: 005B53D2
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B53DF
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,postinstall,0000000B,7'[,?,3A04C82C,?,?), ref: 005B53FE
                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,000000FF,0000001C,00000000,000000FF,.txt,00000004,postinstall,0000000B,7'[,?,3A04C82C,?,?), ref: 005B549B
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?), ref: 005B54B6
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B54C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile$_errno_mkdir
                                                                            • String ID: .txt$7'[$postinstall
                                                                            • API String ID: 3316992066-282842050
                                                                            • Opcode ID: 5c9df6db215d48a62f34439cf9896718b488d03c89d8065ed68c46fa46bbebad
                                                                            • Instruction ID: 765fa29d6f2fe826d98c13176152a1cc59fafde0b234a7c00e59af8b950e6ab5
                                                                            • Opcode Fuzzy Hash: 5c9df6db215d48a62f34439cf9896718b488d03c89d8065ed68c46fa46bbebad
                                                                            • Instruction Fuzzy Hash: 4CA17E30900644DFEB28DF68D848BEEBFB5FB05310F540959E412A72D2D7B1BA84CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C8470 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 281sleepwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(0000FFFF,00000000,00000000,00000000,0000000A,000003E8,?), ref: 005C84B6
                                                                            • Sleep.KERNELBASE(00002710), ref: 005C84C1
                                                                            • memset.VCRUNTIME140(?,00000000,00000088), ref: 005C84D5
                                                                              • Part of subcall function 005BCAE0: GetCurrentProcess.KERNEL32(00000000,3A04C82C,750292F0,00000000), ref: 005BCBDC
                                                                              • Part of subcall function 005BCAE0: IsWow64Process.KERNEL32(00000000), ref: 005BCBE3
                                                                            • OpenProcess.KERNEL32(00000001,00000000,00000009,00000000,?,?,?,?,?,?,00000000,?,00000088), ref: 005C86CE
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4720
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4734
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4741
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B474E
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4759
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Process$CurrentMessageOpenSendSleepTimeoutWow64memset
                                                                            • String ID: Terminating : %ws (%d)[%X]: %d$uninstall_util
                                                                            • API String ID: 2511561161-3982135322
                                                                            • Opcode ID: f8b67ba8499b21669a6e847a53af12376e65a15452296990d3178bc430e7e939
                                                                            • Instruction ID: edea9809c28b349c975e53f46ac471f76c88bc164864d57165880c965d7b98ea
                                                                            • Opcode Fuzzy Hash: f8b67ba8499b21669a6e847a53af12376e65a15452296990d3178bc430e7e939
                                                                            • Instruction Fuzzy Hash: C2C13930900219EEDF24DBA4CC89BEEBBB5FF55304F204199E409A7291EB756A89CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C5898 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 140fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,00000000), ref: 005C58FD
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C5920
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile_stat64i32
                                                                            • String ID: %s exit }$8$CStealthManager::checkAndUpdatePocoLibrary$[%d][%d][%d][%d][%d][%d][%d][%d][%d]$\libssl.dll$libssl.dll$stealth_manager
                                                                            • API String ID: 791829690-3826218177
                                                                            • Opcode ID: 60e40fdadfa863bcac571d071e76dfcdbd3e04ecfbc032f57bad1584c84f9b49
                                                                            • Instruction ID: 6079e7c7d55050f18e3918eabea48831bb5819f0bfd08ca37565f9eb5f19fdb2
                                                                            • Opcode Fuzzy Hash: 60e40fdadfa863bcac571d071e76dfcdbd3e04ecfbc032f57bad1584c84f9b49
                                                                            • Instruction Fuzzy Hash: 3451A470E04398AEEF25C7E4DC55BEEBFB4BB06304F54408AE48562292D7756E84CF22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CAD00 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,00000000,?,005CA9A5,005C862E,00000009), ref: 005CAD2C
                                                                            • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 005CAD4D
                                                                            • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 005CAD67
                                                                            • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 005CAD81
                                                                            Strings
                                                                            • ntdll.dll, xrefs: 005CAD27
                                                                            • NtQueryInformationProcess, xrefs: 005CAD7B
                                                                            • NtWow64ReadVirtualMemory64, xrefs: 005CAD61
                                                                            • NtWow64QueryInformationProcess64, xrefs: 005CAD47
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NtQueryInformationProcess$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                                            • API String ID: 667068680-1418883184
                                                                            • Opcode ID: 46304106ec5312de75cc7dbbe0dccfb749c20b00f47434d4e10c47ebec4824a0
                                                                            • Instruction ID: fc38fd0e1c063c2abe00ba34465799f28408607076b872dba32d054f50348719
                                                                            • Opcode Fuzzy Hash: 46304106ec5312de75cc7dbbe0dccfb749c20b00f47434d4e10c47ebec4824a0
                                                                            • Instruction Fuzzy Hash: 6701713050361BDDDB716BA9BC1AB953FA47B6032BF04012BE402965A0D7788C8EDE93
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BD4F0 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 760COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            • GetFileAttributesA.KERNELBASE(?,?,?,750292F0,00000001,00000010,0000000D,0000000C,00000009,00000008,00000006,00000003,00000002,00000007,?,750292F0), ref: 005BDE5D
                                                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,750292F0,00000001,00000010,0000000D,0000000C,00000009,00000008,00000006,00000003,00000002,00000007), ref: 005BDEAF
                                                                              • Part of subcall function 005BA3E0: RemoveDirectoryA.KERNEL32(?,?,005BDECA,?,?,?,?,750292F0,00000001,00000010,0000000D,0000000C,00000009,00000008,00000006,00000003), ref: 005BA3E4
                                                                              • Part of subcall function 005BA3E0: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 005BA3F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$File$Attributes$DirectoryMoveRemove
                                                                            • String ID: NT System Service$NtSys$\library\$library\$nt_system_service.exe
                                                                            • API String ID: 2810654569-3684818500
                                                                            • Opcode ID: 045dd6806cd48bb6e88d845ebcfd791f73518aa2ca130ab7d555dc9c16bf67f9
                                                                            • Instruction ID: cbeeb7b4cb21d0d39ac56f4907d51356b4fb727df2d635ed29ae6deba7ef4b14
                                                                            • Opcode Fuzzy Hash: 045dd6806cd48bb6e88d845ebcfd791f73518aa2ca130ab7d555dc9c16bf67f9
                                                                            • Instruction Fuzzy Hash: 19623B70900249DFEB24DB58CC49BEEBBB6FB45304F540599E405A7292DB70BE85CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B8440 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 286comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(005D3410,00000000,00000001,005D3420,?), ref: 005B84AD
                                                                              • Part of subcall function 005B8100: new.LIBCMT ref: 005B8129
                                                                              • Part of subcall function 005B8100: SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 005B8162
                                                                              • Part of subcall function 005B8100: _com_issue_error.COMSUPP ref: 005B8173
                                                                              • Part of subcall function 005B8100: _com_issue_error.COMSUPP ref: 005B818C
                                                                            • SysFreeString.OLEAUT32(00000000), ref: 005B8514
                                                                            • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 005B855B
                                                                            • CoCreateInstance.OLE32(005D3A2C,00000000,00000001,005D3A3C,?), ref: 005B865C
                                                                            • _wtoi64.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 005B868F
                                                                            • SysFreeString.OLEAUT32(?), ref: 005B86A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: String$CreateFreeInstance_com_issue_error$AllocBlanketProxy_wtoi64
                                                                            • String ID: WQL
                                                                            • API String ID: 1687189681-1249411209
                                                                            • Opcode ID: 182c2bee185c4ed8015cd918a8f43341193171007ea6c24f6d4a440d6d85027d
                                                                            • Instruction ID: 50ca6f553a59fcfa8f0d6804f94c086b18e4d086432034e3bbf772a05141e883
                                                                            • Opcode Fuzzy Hash: 182c2bee185c4ed8015cd918a8f43341193171007ea6c24f6d4a440d6d85027d
                                                                            • Instruction Fuzzy Hash: B4B14D70A00209AFEB20DFA4CC49BEEBFB9FF54704F244059E915AB291DB75B905CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BE9B0 Relevance: 12.5, APIs: 1, Strings: 7, Instructions: 466COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2620: new.LIBCMT ref: 005B2652
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                              • Part of subcall function 005C7770: RegOpenKeyExW.KERNELBASE(00000007,?,00000000,00000201,00000000,3A04C82C,750292F0,00000000,00000000), ref: 005C77DA
                                                                              • Part of subcall function 005C7770: GetLastError.KERNEL32 ref: 005C77F4
                                                                              • Part of subcall function 005C7770: GetLastError.KERNEL32 ref: 005C7809
                                                                              • Part of subcall function 005C7770: _CxxThrowException.VCRUNTIME140(?,005DCC24,0000000F,00000000,00000001), ref: 005C7870
                                                                              • Part of subcall function 005C7770: RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000), ref: 005C7899
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCC24,00000010,Invalid repository data,005D34F6,00000000,005D34F6,00000000,005D34F6,00000000), ref: 005BECB7
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B438A
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B43AB
                                                                              • Part of subcall function 005BFD10: _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,3A04C82C), ref: 005BFD4F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$ErrorExceptionLastThrowXout_of_range@std@@$OpenQueryValue_stat64i32
                                                                            • String ID: %s enter {$%s exit }$.dll$.exe$CStealthManager::deleteHookDllAndUninstallFile$Invalid repository data$stealth_manager
                                                                            • API String ID: 3040068235-100804164
                                                                            • Opcode ID: 6d0d5a6e4f5210f2d7f9ee12ad9f4299011e62af5b1bcd78c442f8b264ab09a4
                                                                            • Instruction ID: 8451cecfdec7b901730f2054a686604726c41376673e7109cb845f67a6a9bf49
                                                                            • Opcode Fuzzy Hash: 6d0d5a6e4f5210f2d7f9ee12ad9f4299011e62af5b1bcd78c442f8b264ab09a4
                                                                            • Instruction Fuzzy Hash: D4128E30900259DFEB20EB68DC4ABEDBFB5BF51304F644099E00967292DB756E89CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C3E00 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,750292F0,3A04C82C,00000000,750292F0), ref: 005C3E41
                                                                            • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,stealth_manager,Delete file : %s,?), ref: 005C3F34
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C3F59
                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 005C3FAF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile$_stat64i32remove
                                                                            • String ID: Copy file %s to %s : %d$Delete file : %s$stealth_manager
                                                                            • API String ID: 4114102100-3378453047
                                                                            • Opcode ID: 98a386bb88e17d8d90741565ee9093831c6246f6e981292ee3d66952546889ef
                                                                            • Instruction ID: c200359152f07f730f001ff83d3720e36b37b9a88a291849ee1fd96a74629bfb
                                                                            • Opcode Fuzzy Hash: 98a386bb88e17d8d90741565ee9093831c6246f6e981292ee3d66952546889ef
                                                                            • Instruction Fuzzy Hash: 50619C70600249EFDF14DF68C848BEA3BB9FB19304F50855EF80697292D779EA85CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C9640 Relevance: 12.3, APIs: 8, Instructions: 332stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,3A04C82C,00000000,?), ref: 005C969B
                                                                            • new.LIBCMT ref: 005C96AD
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000488,00000488), ref: 005C96BF
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000001,00000001,00000000,00000000), ref: 005C9898
                                                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,00000000,00000000,00000001,00000001,00000000,00000000), ref: 005C98A4
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 005C9747
                                                                              • Part of subcall function 005CC710: __RTDynamicCast.VCRUNTIME140(005C9967,00000000,84],84],00000000,?,?,?,?,?,?,005C9967,00000000,00000000), ref: 005CC73F
                                                                              • Part of subcall function 005CC710: _CxxThrowException.VCRUNTIME140(?,005DCD08,Invalid Argument), ref: 005CC81C
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 005C99A5
                                                                            • memmove.VCRUNTIME140(00000000,?,?,00000000,00000000,?,?), ref: 005C99B7
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B438A
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B43AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Xout_of_range@std@@_stat64i32$CastDynamicExceptionThrowmallocmemmovestrncpy
                                                                            • String ID:
                                                                            • API String ID: 3854998649-0
                                                                            • Opcode ID: 4342bdbae0a82a8818a25253f5cf17ec73c0b37a2ba6b6dea81bec8bbf592802
                                                                            • Instruction ID: 1b3634b7fe6b5c363a75665caf6cf5c4317209c7df88544a977f4aabab23e9c0
                                                                            • Opcode Fuzzy Hash: 4342bdbae0a82a8818a25253f5cf17ec73c0b37a2ba6b6dea81bec8bbf592802
                                                                            • Instruction Fuzzy Hash: 88C13C70A002199FDB24DFA4C889FAEBBB5FF48304F14415DE505AB282DB75AD45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CB1C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 197processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000018,00000009), ref: 005CB2CE
                                                                            • memset.VCRUNTIME140(?,00000000,00000424), ref: 005CB2F3
                                                                            • Module32FirstW.KERNEL32(00000000,00000428), ref: 005CB30D
                                                                              • Part of subcall function 005CC070: new.LIBCMT ref: 005CC075
                                                                              • Part of subcall function 005CB5A0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,005C862E,00000009), ref: 005CB5CA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32Xlength_error@std@@memset
                                                                            • String ID: list<T> too long
                                                                            • API String ID: 2770869650-4027344264
                                                                            • Opcode ID: 9990106ab542464fb75da02f08c12f328a3797f62bb24138bfb28a19e0828bc7
                                                                            • Instruction ID: 99be868b7d86685d7dbd5da6a96365a0a3eaf71eb8397e546cf3e4450071e11a
                                                                            • Opcode Fuzzy Hash: 9990106ab542464fb75da02f08c12f328a3797f62bb24138bfb28a19e0828bc7
                                                                            • Instruction Fuzzy Hash: 77814EB0900219DFDB24DFA4CC89B9EBBB8FF44304F10859DE609A7291DB755A48CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C0E10 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005C2100: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,75920F00,00000000,?,?,?,?,?,?,00000000,005D0A48,000000FF,?,005B2D79), ref: 005C2152
                                                                              • Part of subcall function 005C2100: OpenServiceA.ADVAPI32(00000000,?,00010002), ref: 005C217D
                                                                              • Part of subcall function 005C2100: ChangeServiceConfig2W.ADVAPI32(00000000), ref: 005C21C0
                                                                              • Part of subcall function 005C2100: DeleteService.ADVAPI32(00000000), ref: 005C21C7
                                                                              • Part of subcall function 005C2100: CloseServiceHandle.ADVAPI32(00000000), ref: 005C21D6
                                                                              • Part of subcall function 005C2100: CloseServiceHandle.ADVAPI32(00000000), ref: 005C21FB
                                                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,00000011), ref: 005C0F36
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandleOpen$AttributesChangeConfig2DeleteFileManager
                                                                            • String ID: Delete nf driver failed : %d$Successfully deleted nf driver folder$de_netfilter$nfdrive$stealth_manager
                                                                            • API String ID: 197650353-3270424674
                                                                            • Opcode ID: 3c045edb9a3e3a34edd08b1b29fa37fff767d1d01790a25b58ac80d0c6192977
                                                                            • Instruction ID: 2078474bc004e57980366339ce5e6151471270d8dea04b3b9105fe51f0977498
                                                                            • Opcode Fuzzy Hash: 3c045edb9a3e3a34edd08b1b29fa37fff767d1d01790a25b58ac80d0c6192977
                                                                            • Instruction Fuzzy Hash: 1F418730A04249DFEF24EBA8D849BED7FB5FB05304F50055EE411AB2D2DB71A945CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CC150 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 005CC172
                                                                            • WTSFreeMemory.WTSAPI32(?), ref: 005CC199
                                                                            • GetLastError.KERNEL32 ref: 005CC1B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: EnumerateErrorFreeLastMemorySessions
                                                                            • String ID: CANNOT FIND REAL SESSION # GOT : %d$GET SESSION ERROR : %d$fxstd::fxwshelper
                                                                            • API String ID: 1558365644-4019733835
                                                                            • Opcode ID: dbc3ba761991d064a50723c7f4b7742d806e76e383655102ea17fc2156edcb61
                                                                            • Instruction ID: 65cd60a7dd82543152477515d72a1ba160a9384055deed3739ae648f376daee6
                                                                            • Opcode Fuzzy Hash: dbc3ba761991d064a50723c7f4b7742d806e76e383655102ea17fc2156edcb61
                                                                            • Instruction Fuzzy Hash: 8D11CA31B0010A6FDB10ABE89C4AFAE7F68BB45710F14025FF815AB3C1DA716E05C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C73A0 Relevance: 9.1, APIs: 6, Instructions: 71filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,75918B60,00000000,00000000), ref: 005C73CC
                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005C73F5
                                                                            • GetFileTime.KERNEL32(00000000,00000000,?,?), ref: 005C740D
                                                                            • GetLastError.KERNEL32 ref: 005C7417
                                                                            • CloseHandle.KERNEL32(00000000), ref: 005C7420
                                                                            • GetLastError.KERNEL32 ref: 005C7428
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLast$CloseCreateHandleTime_stat64i32
                                                                            • String ID:
                                                                            • API String ID: 3741799282-0
                                                                            • Opcode ID: b90cfa9c39767a8377d6cdac2b76635cc94be49af25871ade501f244743b1a8c
                                                                            • Instruction ID: e64bcf3319461c9ffe79f172604962e047c4aacb0fe71bbf0108993c60b056af
                                                                            • Opcode Fuzzy Hash: b90cfa9c39767a8377d6cdac2b76635cc94be49af25871ade501f244743b1a8c
                                                                            • Instruction Fuzzy Hash: B011C331205209AFDB209FA4DC89EAB7BACFB48350F10452AFD11C6190DB30EA05CFE2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4110 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 267fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 005C4263
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005C428E
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$CopyFile_stat64i32
                                                                            • String ID: Update %s$libs\$stealth_manager
                                                                            • API String ID: 3048520692-1913737693
                                                                            • Opcode ID: 99e8a8efb1f6ab2a2a98725a96f12b0e9f66180dd645d7bc0a15d642e5a19ef9
                                                                            • Instruction ID: 244698ef5d191c890523daf6f352ff0f9dd14ca28bb8943aa602931f6a6d8eef
                                                                            • Opcode Fuzzy Hash: 99e8a8efb1f6ab2a2a98725a96f12b0e9f66180dd645d7bc0a15d642e5a19ef9
                                                                            • Instruction Fuzzy Hash: EDB18D70900249DEEF24DFA8D859FEEBFB5FB01304F604459E411AB292C775AA49CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C8D40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,LicenseInfo,Get GU PATH : %s), ref: 005C8E27
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 005C8E56
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                              • Part of subcall function 005BA4B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,750292F0,?,?,?,005C975E), ref: 005BA4BA
                                                                              • Part of subcall function 005BA4B0: new.LIBCMT ref: 005BA4CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$_stat64i32$fopen
                                                                            • String ID: Get GU PATH : %s$LicenseInfo$gutype.dat
                                                                            • API String ID: 2269806401-3769785672
                                                                            • Opcode ID: c0298da9baddab6089b928828ccb6776deccca9eddeb98fd3c3c92f7992c3cdd
                                                                            • Instruction ID: a5603a1db2ff4a33c1a1863cf0b3c997aafcc5560382acd220da592330612f56
                                                                            • Opcode Fuzzy Hash: c0298da9baddab6089b928828ccb6776deccca9eddeb98fd3c3c92f7992c3cdd
                                                                            • Instruction Fuzzy Hash: BC416B70A10259DFDF20DBA8D849BEEBBB5FF14700F50005AE815A7282DB756A05CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C8ED0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,LicenseInfo,Set GU PATH : %s), ref: 005C8FC9
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$_stat64i32
                                                                            • String ID: LicenseInfo$Set GU PATH : %s$gutype.dat$w
                                                                            • API String ID: 1866921897-3515572238
                                                                            • Opcode ID: b198b9c7601735452f416baa0d9fe14f09af7fc07ba46f7c6fe0a7e30a7ea175
                                                                            • Instruction ID: 237f501200f85f51b512cb8207153a3b4e6a823982b90d69b345b15b9e4d87d9
                                                                            • Opcode Fuzzy Hash: b198b9c7601735452f416baa0d9fe14f09af7fc07ba46f7c6fe0a7e30a7ea175
                                                                            • Instruction Fuzzy Hash: 91417C30A04259EFEB20DFA8D849BEEBBB5FF54700F50005AE415A7382DB756A45CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6220 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000058,00000040,00000000,?,005BCC58,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 005B623A
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,00000040,00000000,?,005BCC58,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 005B625D
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,00000058,00000040,00000000,?,005BCC58,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\), ref: 005B62A1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@Xout_of_range@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1352685159-4289949731
                                                                            • Opcode ID: 13bef7cd41df7e140717e92bfdf16302f3fd95dda6c587ddebc45e3a34070b8c
                                                                            • Instruction ID: 0f4e60d46eca5c6931a14bd2ab11566d3ea2765591bd5901858401b336e53c5e
                                                                            • Opcode Fuzzy Hash: 13bef7cd41df7e140717e92bfdf16302f3fd95dda6c587ddebc45e3a34070b8c
                                                                            • Instruction Fuzzy Hash: DF21D0753002059F9B24CF9DE8809AAFBE9FF94700300043EE406C7211DB70F919CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BFD10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,3A04C82C), ref: 005BFD4F
                                                                              • Part of subcall function 005BA430: remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,750292F0,?,005BFD6C), ref: 005BA435
                                                                              • Part of subcall function 005BA430: MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 005BA449
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FileMove_stat64i32remove
                                                                            • String ID: Failed [%d] to delete %s$File "%s" does not exists.$Sucessfully delete or pending delete %s$stealth_manager
                                                                            • API String ID: 3784990336-3582675600
                                                                            • Opcode ID: 1d29f8cbadc501391741207775562a34c4db7742eb4aabb9ef1bca6a2fa88ff2
                                                                            • Instruction ID: 24f6102dd01d86a8301ef8b67fc686f7a147d85e998795b5b44923a54e0768d4
                                                                            • Opcode Fuzzy Hash: 1d29f8cbadc501391741207775562a34c4db7742eb4aabb9ef1bca6a2fa88ff2
                                                                            • Instruction Fuzzy Hash: E3213971600209EFDF14DF59DC45AEE7BA8FB18700F80452BFC2686281EB75AA55CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B8100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005B8129
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            • SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 005B8162
                                                                            • _com_issue_error.COMSUPP ref: 005B8173
                                                                            • _com_issue_error.COMSUPP ref: 005B818C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _com_issue_error$AllocStringmalloc
                                                                            • String ID: ROOT\CIMV2
                                                                            • API String ID: 2559737271-2786109267
                                                                            • Opcode ID: 91f113637a69285356572e6f9a0dc39434c648bf67847fd388a4d67dd24168a6
                                                                            • Instruction ID: 9fc36b1296cd806ba164c62f0b788a8ebba55db50cd3340534ec4f9e3c94e0a3
                                                                            • Opcode Fuzzy Hash: 91f113637a69285356572e6f9a0dc39434c648bf67847fd388a4d67dd24168a6
                                                                            • Instruction Fuzzy Hash: 6E11A571901756DBD3209F99C905B56FBE8FB54B20F10432FE855A7380D7F5A940C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C9F80 Relevance: 7.7, APIs: 5, Instructions: 167processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000228,3A04C82C,00000000,00000000), ref: 005C9FF9
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005CA00F
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 005CA028
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 005CA1C3
                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 005CA1D2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
                                                                            • String ID:
                                                                            • API String ID: 2518216231-0
                                                                            • Opcode ID: 982d3e8238a8cf002c192f52559d111b1f5bbe5a6bb3c46b4528829b776f1da8
                                                                            • Instruction ID: 86daab247f0e0737e835b45a0faab4f5e3741c6ab4b6a6c1e9cd595b25a5782a
                                                                            • Opcode Fuzzy Hash: 982d3e8238a8cf002c192f52559d111b1f5bbe5a6bb3c46b4528829b776f1da8
                                                                            • Instruction Fuzzy Hash: 74615A709002599FDB20DFA4C989B9EBBB8FF44308F14469EE419A7291DB74AA44CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4A80 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(3A04C82C,?,?,750292F0,?,750292F0), ref: 005B4B04
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(3A04C82C,?,?,750292F0,?,750292F0), ref: 005B4B1A
                                                                            • new.LIBCMT ref: 005B4B21
                                                                            • new.LIBCMT ref: 005B4B35
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            • memmove.VCRUNTIME140(00000000,?,?,750292F0,?,750292F0), ref: 005B4B83
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$mallocmemmove
                                                                            • String ID:
                                                                            • API String ID: 186744070-0
                                                                            • Opcode ID: b31d686b1d21a757ed436de47ef3014b42e4116bed8c6ca0e3b90a9e43cbbc6e
                                                                            • Instruction ID: 32eee57d6f006ffb862bda065eb557aa85a80b29e98d0eef67bdbaa6d1b2ae85
                                                                            • Opcode Fuzzy Hash: b31d686b1d21a757ed436de47ef3014b42e4116bed8c6ca0e3b90a9e43cbbc6e
                                                                            • Instruction Fuzzy Hash: 3D41B671600601DBCB34DF64D985BAABFE5FB44750B204A2DE552C7292D730F904CB65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C8A70 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CA767,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005C8A80
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CA767,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005C8A95
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CA767,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005C8AA2
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CA767,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005C8AAF
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CA767,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005C8ABA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: f7d6e7fb6c60e9c917435e6f6357f5ff66e938c826d25869cf539d6b406280a2
                                                                            • Instruction ID: 894a4bfd184a224c3659a71e415c9eaad7eda059c38d87a9a7f32520e023f28b
                                                                            • Opcode Fuzzy Hash: f7d6e7fb6c60e9c917435e6f6357f5ff66e938c826d25869cf539d6b406280a2
                                                                            • Instruction Fuzzy Hash: E7F082389020064FD7286BE4DE5CA7CBF65BB64321B14443FE94BC1215DE619A849973
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CAFB0 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005CC070: new.LIBCMT ref: 005CC075
                                                                              • Part of subcall function 005CB5A0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,005C862E,00000009), ref: 005CB5CA
                                                                            • GetCurrentProcess.KERNEL32(?,00000008,00000000,00000000,3A04C82C), ref: 005CB051
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 005CB058
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000009), ref: 005CB07A
                                                                            • IsWow64Process.KERNEL32(00000000,00000000), ref: 005CB087
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Wow64$CurrentOpenXlength_error@std@@
                                                                            • String ID:
                                                                            • API String ID: 2815037454-0
                                                                            • Opcode ID: 0cec4882d54ea69c943e3d243a204b02dfd61f58cd455c5faad2e04e6fb44695
                                                                            • Instruction ID: fd5c4e7e4687ef06b4ea850dbf98f00f81feb4c272866f9fd252df0ff8b4cf45
                                                                            • Opcode Fuzzy Hash: 0cec4882d54ea69c943e3d243a204b02dfd61f58cd455c5faad2e04e6fb44695
                                                                            • Instruction Fuzzy Hash: 80513DB0A0020AEFEB14DF94D95ABAFBFB5FF44304F14451EE515AB280D7B95908CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA670 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(3A04C82C,?,?,?,?,00000000,00000000,000000FF,?,00000000), ref: 005CA6AF
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(3A04C82C,?,?,?,?,00000000,00000000,000000FF,?,00000000), ref: 005CA6C6
                                                                            • new.LIBCMT ref: 005CA6CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 51560e2f85f89d2fb44963701a9ed5986f8adc4ae6891a924f369691bf3066b2
                                                                            • Instruction ID: 74b198990fe2eede0fa0b0a08878af052f600b0bab0cb7421f4a7f7dd5e90de8
                                                                            • Opcode Fuzzy Hash: 51560e2f85f89d2fb44963701a9ed5986f8adc4ae6891a924f369691bf3066b2
                                                                            • Instruction Fuzzy Hash: 8431E972E001059FCB18DF98CD46B6EBFB5FB94304F19416EE805EB351E6309940C792
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4E90 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,005CA4FB,00000000,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005B4EA9
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,005CA4FB,00000000,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005B4EBF
                                                                            • new.LIBCMT ref: 005B4EC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: e21000bac1fea83cf85134ab3d95f09d8587252391f7ac4d6057ca82213f69b5
                                                                            • Instruction ID: 13cd9df58db094b2b2f0c1dad03ac16a7d657ba3f6a6e20896893126ca32dc3f
                                                                            • Opcode Fuzzy Hash: e21000bac1fea83cf85134ab3d95f09d8587252391f7ac4d6057ca82213f69b5
                                                                            • Instruction Fuzzy Hash: 38F027B36001000FD728E7B4A80BD6E3B8CBB64364704023FF11AC6292F631E9A4D65B
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C7120 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005C6A90: WTSQueryUserToken.WTSAPI32(00000000,00000000,005D39AC,00000000,3A04C82C,00000000), ref: 005C6B37
                                                                              • Part of subcall function 005C6A90: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005C6B58
                                                                              • Part of subcall function 005C6A90: CloseHandle.KERNEL32(00000000,?), ref: 005C6C03
                                                                              • Part of subcall function 005C6A90: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,005D39AC,00000000,3A04C82C,00000000), ref: 005C6C36
                                                                            • GetFileAttributesA.KERNELBASE(?,\extensions,0000000B,3A04C82C,00000000,00000000), ref: 005C71A9
                                                                              • Part of subcall function 005B45B0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45CA
                                                                              • Part of subcall function 005B45B0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45ED
                                                                              • Part of subcall function 005B45B0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B4608
                                                                              • Part of subcall function 005B45B0: memmove.VCRUNTIME140(?,?,3A04C82D,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C), ref: 005B466F
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,00000000,000000FF,005D3638,00000001), ref: 005C71E3
                                                                              • Part of subcall function 005BA430: remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,750292F0,?,005BFD6C), ref: 005BA435
                                                                              • Part of subcall function 005BA430: MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 005BA449
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FileFolderPathXlength_error@std@@$AttributesCloseHandleMoveQuerySpecialTokenUserXout_of_range@std@@_stat64i32memmoveremove
                                                                            • String ID: \extensions
                                                                            • API String ID: 3934399924-794364624
                                                                            • Opcode ID: 1d5af55ebd0412627ae4a0fb94a5809f0d3f1944a022d34d1554443cec29e461
                                                                            • Instruction ID: 8a6851bc0ed72243a86f3beb22ed23ba941aa2837d7babf922bf6a71ffa83dc8
                                                                            • Opcode Fuzzy Hash: 1d5af55ebd0412627ae4a0fb94a5809f0d3f1944a022d34d1554443cec29e461
                                                                            • Instruction Fuzzy Hash: E7414C31E04209AFDF14DB94CC49BEEBBB9FB49310F544119E8157B282DB716E45CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005CA4EF
                                                                            • memset.VCRUNTIME140(?,00000000,00000000,00000000,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005CA50E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memset
                                                                            • String ID: vector<T> too long
                                                                            • API String ID: 1527646195-3788999226
                                                                            • Opcode ID: 3b97eec0bd57c631d1061188dfc02d3957273629d151992412f5a9deef4ead39
                                                                            • Instruction ID: ca30287ff2a03043e61332c59d369ee31aa30b6fedb93096d7de32042301f493
                                                                            • Opcode Fuzzy Hash: 3b97eec0bd57c631d1061188dfc02d3957273629d151992412f5a9deef4ead39
                                                                            • Instruction Fuzzy Hash: 5BF096B2901212AFC3105F98DC05B95FBE8BF44710F14811BF91483240E7B1A820CBD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CB8E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005CC070: new.LIBCMT ref: 005CC075
                                                                              • Part of subcall function 005CB5A0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,005C862E,00000009), ref: 005CB5CA
                                                                              • Part of subcall function 005CAA20: memset.VCRUNTIME140(0000000A,00000000,000003B7,00000000,3F800000,005C862E,005C862E,00000009,00000000), ref: 005CAA43
                                                                              • Part of subcall function 005CAA20: NtWow64ReadVirtualMemory64.NTDLL(?,005C862E,005C862E,00000009,000003B8,00000000,?,00000000,3F800000,005C862E,005C862E,00000009,00000000), ref: 005CAA83
                                                                              • Part of subcall function 005CBBF0: memset.VCRUNTIME140(00000009,00000000,00000044,?,00000000,005C862E,?,?,?,005C862E,00000009,00000000), ref: 005CBC13
                                                                              • Part of subcall function 005CBBF0: NtWow64ReadVirtualMemory64.NTDLL(?,?,005C862E,?,00000048,00000000,?,?,00000000,005C862E,?,?,?,005C862E,00000009,00000000), ref: 005CBC50
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list<T> too long,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,005C862E,00000009), ref: 005CBBA7
                                                                              • Part of subcall function 005CBC70: memset.VCRUNTIME140(?,00000000,000000C0,?,?,005C862E,?,?,?,?,?,?,005C862E,00000009,00000000), ref: 005CBC9D
                                                                              • Part of subcall function 005CBC70: NtWow64ReadVirtualMemory64.NTDLL(?,?,005C862E,?,000000C8,00000000,?,?,?,005C862E,?,?,?), ref: 005CBCDD
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4720
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4734
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4741
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B474E
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4759
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Memory64ReadVirtualWow64memset$Xlength_error@std@@
                                                                            • String ID: list<T> too long
                                                                            • API String ID: 1356422784-4027344264
                                                                            • Opcode ID: 95a245a37ca1b53620c3558b0c30534915e1b8ef7aac41a0dd86b8373936a770
                                                                            • Instruction ID: 583d527911f2368cda285f5a6a61c5c88fa33c6558e475cb8601458b9bf84410
                                                                            • Opcode Fuzzy Hash: 95a245a37ca1b53620c3558b0c30534915e1b8ef7aac41a0dd86b8373936a770
                                                                            • Instruction Fuzzy Hash: 83813371C002099FEB20CF94C949BEEBBB9FF84304F148199E409AB251DB756E85CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA5D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,00000000,?,00000000,005CA197,?,00000000,00000000,000000FF,?,00000000), ref: 005CA61F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: vector<T> too long
                                                                            • API String ID: 1004598685-3788999226
                                                                            • Opcode ID: ea398cad3b59b5236bd4a94e7dde10d8790b1e977e5574cf42359f19a6e146bb
                                                                            • Instruction ID: a55f29b8914022dda3e367d573ef0afb6b1aa7109c02fda9b736f1470dff3da7
                                                                            • Opcode Fuzzy Hash: ea398cad3b59b5236bd4a94e7dde10d8790b1e977e5574cf42359f19a6e146bb
                                                                            • Instruction Fuzzy Hash: 9101F733B010280F475C486D5D5442D6987A7D922531EC33EE506EF3C9E861DC5295C4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B47C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,005B6273,?,?,00000058,00000040,00000000,?,005BCC58,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026), ref: 005B47D4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: eee653e46299738d390e4cbfe32f0b6fe4955660d559cf421cec81c8b51dfe27
                                                                            • Instruction ID: ca02be63c3eb84490be0c29efab96d0ceed88ba83a7047d69e3c3e03476c8b91
                                                                            • Opcode Fuzzy Hash: eee653e46299738d390e4cbfe32f0b6fe4955660d559cf421cec81c8b51dfe27
                                                                            • Instruction Fuzzy Hash: F4F05532C12331934B316FA4A4014EA3F19FF11B75322414BF8016F252CB22ED52CBE2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C9070 Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005C90DF
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000030,00000030,?,00000000,000000FF,3A04C82C,00000000,00000000), ref: 005C90EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 264e76b6d5b7524a7f31dbdaeac6c8d295b7d8d995b45b18b4823ef6ae7052bc
                                                                            • Instruction ID: 1e0ca4120a20ad142bccb7f866d6edaff5c44e232f8561e19006dcd386eb6092
                                                                            • Opcode Fuzzy Hash: 264e76b6d5b7524a7f31dbdaeac6c8d295b7d8d995b45b18b4823ef6ae7052bc
                                                                            • Instruction Fuzzy Hash: E6318AB0504246EFEB24DF98D80AB9ABFF4FB01704F20455EE0159B7C2C7B6AA05CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BA4B0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,750292F0,?,?,?,005C975E), ref: 005BA4BA
                                                                            • new.LIBCMT ref: 005BA4CB
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: fopenmalloc
                                                                            • String ID:
                                                                            • API String ID: 1458608084-0
                                                                            • Opcode ID: 318508b68c68dcc5ef9137b8d9898ce26482f60280b21d474e9e376cfbb728bb
                                                                            • Instruction ID: 3e8c5b68605fa42c623d5dac9cb4758d1ba950aa69c4f7a3396ed5e24722c608
                                                                            • Opcode Fuzzy Hash: 318508b68c68dcc5ef9137b8d9898ce26482f60280b21d474e9e376cfbb728bb
                                                                            • Instruction Fuzzy Hash: 140175729052145ADB304B2998057E6BF95AF52324F78829EDC0C5B341F2B3994286D2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BA430 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,750292F0,?,005BFD6C), ref: 005BA435
                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 005BA449
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FileMoveremove
                                                                            • String ID:
                                                                            • API String ID: 1863355238-0
                                                                            • Opcode ID: b7a2bfab516ac3aace3d2c50f3437cd760a3dcb63c9064652958559678b39b6f
                                                                            • Instruction ID: a7171c505d63c66b16936d80e2794d9b9a9a5e6335eb2f59c0697591d07d5c30
                                                                            • Opcode Fuzzy Hash: b7a2bfab516ac3aace3d2c50f3437cd760a3dcb63c9064652958559678b39b6f
                                                                            • Instruction Fuzzy Hash: 1AD05E3274212167E730266A7C0DBAB9B98ABA1E71F090037FA04E6250EAD4DD4660A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BC500 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,3A04C82C,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005BC57E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Init@locale@std@@Locimp@12@_
                                                                            • String ID:
                                                                            • API String ID: 28175708-0
                                                                            • Opcode ID: 7dc4a59f2956c1960a33e0ca247200f6410f6cbea6638a33465f78e3b5971353
                                                                            • Instruction ID: d1eacca54957cbdb87c4b66b1d39795c9b9928b47883175b89d403994512f233
                                                                            • Opcode Fuzzy Hash: 7dc4a59f2956c1960a33e0ca247200f6410f6cbea6638a33465f78e3b5971353
                                                                            • Instruction Fuzzy Hash: E7412970A01249DFCB18CFA8D985BEEBBB5FF49304F50816DE416AB291D770A904CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B2590 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005B25C2
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                              • Part of subcall function 005B6A80: new.LIBCMT ref: 005B6ADD
                                                                              • Part of subcall function 005B6A80: InitializeCriticalSection.KERNEL32(00000004), ref: 005B6AF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalInitializeSectionmalloc
                                                                            • String ID:
                                                                            • API String ID: 4141300597-0
                                                                            • Opcode ID: 4a2eef5dcfd4d6838ef9e02d7a1f4ed100418a45b9ade920806248fc95a87bee
                                                                            • Instruction ID: 75ae69963eb9648bea88cbd3d11404e8622ad1741790881272b7fd85e36fc758
                                                                            • Opcode Fuzzy Hash: 4a2eef5dcfd4d6838ef9e02d7a1f4ed100418a45b9ade920806248fc95a87bee
                                                                            • Instruction Fuzzy Hash: BF11A171905749AFDB10DF54C845BAA7BA4FB55320F00436AF8159B290EB70E940C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B2620 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005B2652
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                              • Part of subcall function 005B6A80: new.LIBCMT ref: 005B6ADD
                                                                              • Part of subcall function 005B6A80: InitializeCriticalSection.KERNEL32(00000004), ref: 005B6AF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalInitializeSectionmalloc
                                                                            • String ID:
                                                                            • API String ID: 4141300597-0
                                                                            • Opcode ID: d639118b530322290a5f1bee8f467bbeb531cf101f4d44d80c1da1b7f487d63d
                                                                            • Instruction ID: ebcca3e627a3c3a4c45660e8baa945ea9f345bba0811b9d65e4c63d4f6144bce
                                                                            • Opcode Fuzzy Hash: d639118b530322290a5f1bee8f467bbeb531cf101f4d44d80c1da1b7f487d63d
                                                                            • Instruction Fuzzy Hash: 1E116171901746AFDB14DF54C845BAA7BA4FB59720F14436BF8159B290EB70E940C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BD460 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002A,00000000,?), ref: 005BD493
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FolderPathSpecial
                                                                            • String ID:
                                                                            • API String ID: 994120019-0
                                                                            • Opcode ID: 0673bf1a62dcc934455a1a00234b21d1c96a75fd022bb74ed78826097bcec0ff
                                                                            • Instruction ID: f4b9874b2de2227949bd4d83280653fa19aeddbdf417ecfc56518f859a5c61d9
                                                                            • Opcode Fuzzy Hash: 0673bf1a62dcc934455a1a00234b21d1c96a75fd022bb74ed78826097bcec0ff
                                                                            • Instruction Fuzzy Hash: 01019E30A042199ADB349F20C809BEABBB4AB15304F0001DDD88A57281DBF53A888B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6C80 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00002710,?,00000000,?), ref: 005B6CC2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __stdio_common_vsprintf
                                                                            • String ID:
                                                                            • API String ID: 9700413-0
                                                                            • Opcode ID: fa925130abef2fd0653737d9661d91540bb4cba95177cee7a73b5914898fe368
                                                                            • Instruction ID: b91c34c811c7da347d833bcf4c1f5eeb240226c5d7c1edf01f98770445e0f4f3
                                                                            • Opcode Fuzzy Hash: fa925130abef2fd0653737d9661d91540bb4cba95177cee7a73b5914898fe368
                                                                            • Instruction Fuzzy Hash: F7018131600208AFDB00EF58DC8ADAF7BA9FF88310F00449AF90597251CA71BD20DBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BA580 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 005BA58B
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: fclose
                                                                            • String ID:
                                                                            • API String ID: 3125558077-0
                                                                            • Opcode ID: 664900c958c41d3b8199e1141ccdb681a2b8541e1dfc71c11ef125e1a3e5febc
                                                                            • Instruction ID: 4675e8dd557357bb37c1b52d8ee8878264b54e867be05550833463acefeb050f
                                                                            • Opcode Fuzzy Hash: 664900c958c41d3b8199e1141ccdb681a2b8541e1dfc71c11ef125e1a3e5febc
                                                                            • Instruction Fuzzy Hash: 91C04CB5A0571187EB309B18B90878377EC6F04714F05446AE45ED7640D678FE548AA6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BA740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,005B5948), ref: 005BA741
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: edc1526b22e530b89b8c92ded006a130edf5c52d58f95f995f015b39fa0ec412
                                                                            • Instruction ID: 7ff6fd676cb70d33c154b4ed235182bb9b0231efd9b1613bcbb403f0c63beea6
                                                                            • Opcode Fuzzy Hash: edc1526b22e530b89b8c92ded006a130edf5c52d58f95f995f015b39fa0ec412
                                                                            • Instruction Fuzzy Hash: D6B092280096001A9E281A38592C1D92B20E9527A57D85B81D478854F18B3AA94FA592
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 005BAA30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 191fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,\*.*,00000004,00000000,00000000,000000FF,?,?,3A04C82C,75923310,005DEB78,00000000), ref: 005BAAFE
                                                                            • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 005BAC22
                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 005BAC33
                                                                            • FindClose.KERNEL32(00000000), ref: 005BAC3F
                                                                            • GetLastError.KERNEL32 ref: 005BAC45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseErrorFirstLastNextremove
                                                                            • String ID: .$\*.*
                                                                            • API String ID: 779300091-3701014519
                                                                            • Opcode ID: dfd58d0c696627043632f57356b87071ed2ae9207d9da4a53bc21a99b1bc3765
                                                                            • Instruction ID: 9f72f636bde160100967017ce3587d54553ee5a778bb0df4418436ba72d6ed8c
                                                                            • Opcode Fuzzy Hash: dfd58d0c696627043632f57356b87071ed2ae9207d9da4a53bc21a99b1bc3765
                                                                            • Instruction Fuzzy Hash: 1971AE70800249DFEB25DBA4C899BEEBFB5FB05300F540099E415B7292D7756E89CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BA790 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,\*.*,00000004,00000000,00000000,000000FF,?,?,3A04C82C,75920F00,00000000), ref: 005BA85E
                                                                              • Part of subcall function 005BA430: remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,750292F0,?,005BFD6C), ref: 005BA435
                                                                              • Part of subcall function 005BA430: MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 005BA449
                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 005BA98B
                                                                            • FindClose.KERNEL32(00000000), ref: 005BA997
                                                                            • GetLastError.KERNEL32 ref: 005BA99D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$CloseErrorFirstLastMoveNextremove
                                                                            • String ID: .$\*.*
                                                                            • API String ID: 1879715955-3701014519
                                                                            • Opcode ID: 8ba7bfc24786e2e6b93e5714a0ae7351d9cf6dcb749b7ef78fc5b84997ceb38a
                                                                            • Instruction ID: c636c9c7ebb5c6424adf0da3889787de9fc97160eb95ffc8d6bc3576e22e50de
                                                                            • Opcode Fuzzy Hash: 8ba7bfc24786e2e6b93e5714a0ae7351d9cf6dcb749b7ef78fc5b84997ceb38a
                                                                            • Instruction Fuzzy Hash: E5718D308002599FEF25DBA4C859BEEBFB5FB06304F540199E405B7292DB752E85CF62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CC870 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memmove.VCRUNTIME140(?,005CC4AD,00000010), ref: 005CC8B5
                                                                            • _CxxThrowException.VCRUNTIME140(00000000,005DCCC0,00000000,?,00000000,?,005CC4AD), ref: 005CCC64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrowmemmove
                                                                            • String ID: $Xf]
                                                                            • API String ID: 3420374180-1818328592
                                                                            • Opcode ID: c6e89bce823434805611cc5155a9f811212373abf6051988f64f464aa8c0696e
                                                                            • Instruction ID: d81b840a12d242488b3d106174b3c5beb93e56e263332f52ffb210fc82e6be9a
                                                                            • Opcode Fuzzy Hash: c6e89bce823434805611cc5155a9f811212373abf6051988f64f464aa8c0696e
                                                                            • Instruction Fuzzy Hash: 91C1BE709001598FCB18CF68C894AAD7FE5FF89304F4984AEEC59EF256D734AA41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B3551 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 106sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000001F4), ref: 005B3565
                                                                              • Part of subcall function 005B2450: __std_exception_destroy.VCRUNTIME140(?), ref: 005B2491
                                                                            • __std_exception_copy.VCRUNTIME140(?,?), ref: 005B35EB
                                                                            • _CxxThrowException.VCRUNTIME140(x7],005DCC24), ref: 005B3665
                                                                            • GetLastError.KERNEL32(x7],005DCC24), ref: 005B366E
                                                                            • Sleep.KERNEL32(000001F4), ref: 005B3687
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005B369E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep__std_exception_destroy$ErrorExceptionLastThrow__std_exception_copy
                                                                            • String ID: Error %s$`|9n$post_install$x7]
                                                                            • API String ID: 3014290511-698563706
                                                                            • Opcode ID: 3e64fbc908652b2c6fc5d9489053db602a2b1698c5875545a1a7d306e4910d99
                                                                            • Instruction ID: 880a6bed3fec0f5fd388414eb76fb62dd5a038e23e51b25ccba37bb26ed93752
                                                                            • Opcode Fuzzy Hash: 3e64fbc908652b2c6fc5d9489053db602a2b1698c5875545a1a7d306e4910d99
                                                                            • Instruction Fuzzy Hash: 4F4100B1D4021E9ADB30DB54CD49BDABFB8BF15304F4442E7E509A2241E774AB88CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B3294 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 95sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000001F4), ref: 005B32A8
                                                                              • Part of subcall function 005B2450: __std_exception_destroy.VCRUNTIME140(?), ref: 005B2491
                                                                            • __std_exception_copy.VCRUNTIME140(?,?), ref: 005B331A
                                                                            • _CxxThrowException.VCRUNTIME140(x7],005DCC24), ref: 005B3394
                                                                            • GetLastError.KERNEL32(x7],005DCC24), ref: 005B33A3
                                                                            • GetLastError.KERNEL32(?,?,?,00000000,000000FF), ref: 005B33CD
                                                                            • Sleep.KERNEL32(000001F4,?,?,?,00000000,000000FF), ref: 005B33E3
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005B33FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastSleep__std_exception_destroy$ExceptionThrow__std_exception_copy
                                                                            • String ID: Error %s$Last Error : %d [message : %s] retry count: %d$Unknown exception$`|9n$post_install$x7]
                                                                            • API String ID: 1914385622-1590388844
                                                                            • Opcode ID: bedb00db69b66fa1ab22b28db3831823b716e7b78f191b29ef264f81a7ba8e7b
                                                                            • Instruction ID: 64b25a4ab79faeb04902a46593018ad923569fb483b9ee2ade4ffddc75e78984
                                                                            • Opcode Fuzzy Hash: bedb00db69b66fa1ab22b28db3831823b716e7b78f191b29ef264f81a7ba8e7b
                                                                            • Instruction Fuzzy Hash: B9414CB49012599BDB20DB58CC49BDDBFB4BF54305F4041EAE108A7241EB706B88CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B3409 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 93sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000001F4), ref: 005B341D
                                                                              • Part of subcall function 005B2450: __std_exception_destroy.VCRUNTIME140(?), ref: 005B2491
                                                                            • __std_exception_copy.VCRUNTIME140(?,?), ref: 005B348F
                                                                            • _CxxThrowException.VCRUNTIME140(x7],005DCC24), ref: 005B3509
                                                                            • GetLastError.KERNEL32(x7],005DCC24), ref: 005B3512
                                                                            • Sleep.KERNEL32(000001F4), ref: 005B352B
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005B3542
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep__std_exception_destroy$ErrorExceptionLastThrow__std_exception_copy
                                                                            • String ID: Error %s$`|9n$post_install$x7]
                                                                            • API String ID: 3014290511-698563706
                                                                            • Opcode ID: 6cbc84085559b1ff925d8fa406de9eb0dc4e0917d174a88e31094065c1a8de62
                                                                            • Instruction ID: c5aec037b0af53088c661243380c43c2db75e041aa88b12094da3d7f70e9e623
                                                                            • Opcode Fuzzy Hash: 6cbc84085559b1ff925d8fa406de9eb0dc4e0917d174a88e31094065c1a8de62
                                                                            • Instruction Fuzzy Hash: B9412CB094122D9ADB60DB54CC49BCDBFB8BF15304F5046EAE109A6241EB706BC8CF66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CC5E0 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __RTDynamicCast.VCRUNTIME140(00000000,00000000,84],84],00000000,?,?,?,?,?,005C9B62,00000000,00000000,00000002,?,3A04C82C), ref: 005CC60F
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __RTDynamicCast.VCRUNTIME140(00000000,00000000,84],84],00000000,?,?,?,?,?,005C9B62,00000000,00000000,00000002,?,3A04C82C), ref: 005CC670
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCD08,Invalid Argument), ref: 005CC6FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CastDynamic$ExceptionThrow
                                                                            • String ID: %s (AES) Wrong Arguments$%s (RSA) Wrong Arguments$%s unsupport type exit }$84]$84]$84]$Cryptography::cCryptography::encrypt$Invalid Argument$Unsupported type$cryptography
                                                                            • API String ID: 2625377109-3487185056
                                                                            • Opcode ID: 0b2b36d51b3453d4ff3783908b0d0e3b6ae07bc9ca850c1018dc844099d5aa4a
                                                                            • Instruction ID: 47c5218affe93f306f2fce14bc74195eaa416064c25173625a80a2428e8cab2a
                                                                            • Opcode Fuzzy Hash: 0b2b36d51b3453d4ff3783908b0d0e3b6ae07bc9ca850c1018dc844099d5aa4a
                                                                            • Instruction Fuzzy Hash: CC21A8357402057BCE34BAAD8D0BFAE7E58BB85B14F10045FF905AB382D6A1A94146E6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6690 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 352COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B66A8
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B66C0
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B6701
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long), ref: 005B672A
                                                                            • memmove.VCRUNTIME140(?,00000000,?,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B67C9
                                                                            • memmove.VCRUNTIME140(00000000,?,00000000,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B67FB
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B683D
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B6883
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B68CB
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B6903
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$Xlength_error@std@@Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 2690457442-4289949731
                                                                            • Opcode ID: e9c4a513b0dac760697accd264d3ae8f96e732c51f959146af0cadf0f9c26f38
                                                                            • Instruction ID: 2f19381d0aeba7e82e502745b6b9cfeb3ff720a6a6e3786fae37c5ddcd938ebe
                                                                            • Opcode Fuzzy Hash: e9c4a513b0dac760697accd264d3ae8f96e732c51f959146af0cadf0f9c26f38
                                                                            • Instruction Fuzzy Hash: 44D13C70700205DBDF24CF48D9C499ABBB6FF88704B248929E8968B346CB34FD95DB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CC710 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __RTDynamicCast.VCRUNTIME140(005C9967,00000000,84],84],00000000,?,?,?,?,?,?,005C9967,00000000,00000000), ref: 005CC73F
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __RTDynamicCast.VCRUNTIME140(005C9967,00000000,84],84],00000000,?,?,?,?,?,?,005C9967,00000000,00000000), ref: 005CC79B
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCD08,Invalid Argument), ref: 005CC81C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CastDynamic$ExceptionThrow
                                                                            • String ID: %s unsupport type exit }$84]$84]$84]$Cryptography::cCryptography::decrypt$Invalid Argument$Wrong Arguments$cryptography
                                                                            • API String ID: 2625377109-1808501998
                                                                            • Opcode ID: 1b3fe50f3a937917d8709ced9baf721cdeb1a2e0db3787f01c8544d00db9f766
                                                                            • Instruction ID: 54ee5bd1c646cd39ce6c9466e99faf87eeb7ccbf8fa614b869aabea2054170e4
                                                                            • Opcode Fuzzy Hash: 1b3fe50f3a937917d8709ced9baf721cdeb1a2e0db3787f01c8544d00db9f766
                                                                            • Instruction Fuzzy Hash: 5331D8357402053BDA347AAC5C4BFAA7E98FB85B10F50046FF909EB3C2D791690146E2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B7A80 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 358COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B7A98
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B7AB2
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B7AED
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7B4D
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7B9D
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7BD7
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7C1C
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7C5F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$Xout_of_range@std@@$Xlength_error@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1729942311-4289949731
                                                                            • Opcode ID: 9dff705a64ed07bf271f9ff88a303022ffca298a31657729d6d81f13767626f3
                                                                            • Instruction ID: 4f4c440e0d8720e6fd49a6e819a10e02d7e7edf7ac60c63dd8a44416d43a7b9b
                                                                            • Opcode Fuzzy Hash: 9dff705a64ed07bf271f9ff88a303022ffca298a31657729d6d81f13767626f3
                                                                            • Instruction Fuzzy Hash: 0CE1097160450ADFCB24CF58D5848AABBB6FFC8344720496EE8469B611DB30FE65CBE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B64A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,00000000,system32,00000008,00000000,?), ref: 005B650D
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B6532
                                                                            • memmove.VCRUNTIME140(?,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B6579
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B65A4
                                                                            • memmove.VCRUNTIME140(?,?,?,?,00000000,00000000,system32,00000008,00000000,?), ref: 005B662D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove$Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 4132317908-4289949731
                                                                            • Opcode ID: d6d78ad15c47d2f4323bee6c59c9689c43cf9c61e246c3324d05145dfc998fc0
                                                                            • Instruction ID: 98bb952ab0a9b6c2b5f116c5da47f20c45b399b80cce0333beb4270486333b53
                                                                            • Opcode Fuzzy Hash: d6d78ad15c47d2f4323bee6c59c9689c43cf9c61e246c3324d05145dfc998fc0
                                                                            • Instruction Fuzzy Hash: 7061B1317002059FDB24CF5CD884AAABFF6FB94711B24892EE846C7381DB75ED508B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C5BC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,00000000,00000007,?,005C6261,00000000,?,00000000,000000FF,?), ref: 005C5BDA
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,00000000,00000007,?,005C6261,00000000,?,00000000,000000FF,?), ref: 005C5BFA
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,00000000,00000007,?,005C6261,00000000,?,00000000,000000FF,?), ref: 005C5C15
                                                                            • memmove.VCRUNTIME140(00000000,00000000,?,00000000,00000000,00000007,?,005C6261,00000000,?,00000000,000000FF,?), ref: 005C5C7C
                                                                            • memmove.VCRUNTIME140(00000000,?,00000000,00000000,00000000,00000007,?,005C6261,00000000,?,00000000,000000FF,?), ref: 005C5CC0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove$Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 4132317908-4289949731
                                                                            • Opcode ID: 70900809da3ab02473f22651b536f9fed180f73accd709edf9e6673a79eba924
                                                                            • Instruction ID: d779b79ee9bc2645d22083a8ca8005c8f00a275102a53364d5c199ef7cee7079
                                                                            • Opcode Fuzzy Hash: 70900809da3ab02473f22651b536f9fed180f73accd709edf9e6673a79eba924
                                                                            • Instruction Fuzzy Hash: 68417C71700B058FD7248FDCE884E6ABBA5FB94B01B60092EE492C7251EB70FD80C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BCAE0 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 309COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B9440: new.LIBCMT ref: 005B9442
                                                                            • GetCurrentProcess.KERNEL32(00000000,3A04C82C,750292F0,00000000), ref: 005BCBDC
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 005BCBE3
                                                                            • new.LIBCMT ref: 005BCC79
                                                                              • Part of subcall function 005B46A0: memmove.VCRUNTIME140(00000001,9U[,?,00000001,00000000,?,005B5539,00000000,005D3638,00000001), ref: 005B46BB
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Process$CurrentWow64memmove
                                                                            • String ID: Data$SOFTWARE\Classes\CLSID\$\MiscStatus\1${d07606c8-6532-4d75-a46d-f5f5ac6ef74a}
                                                                            • API String ID: 1129509905-531586979
                                                                            • Opcode ID: 08873bfc81585f815d3d5d988afa90bee19d1efe78608f485a7490e822729c96
                                                                            • Instruction ID: 13d5258446a55733ea8b280097ab817f72695a8524ba37c82a29c1cfa78e6298
                                                                            • Opcode Fuzzy Hash: 08873bfc81585f815d3d5d988afa90bee19d1efe78608f485a7490e822729c96
                                                                            • Instruction Fuzzy Hash: 3AC1DE70A04244DFEF18DF68D849BAEBFB5FF45304F600469E4129B292C771AD45CBA6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CC340 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCCC0), ref: 005CC38A
                                                                            • new.LIBCMT ref: 005CC3AD
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCCC0), ref: 005CC436
                                                                            • memmove.VCRUNTIME140(00000000,?,?,?,?), ref: 005CC495
                                                                            • new.LIBCMT ref: 005CC4BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow$memmove
                                                                            • String ID: Invalid Argument
                                                                            • API String ID: 265668421-3158457447
                                                                            • Opcode ID: 9b6a12a9a10a2eb84a4d10ad50dd62a16fbbfa0c76b1f9e3ff82e13ee9c8c473
                                                                            • Instruction ID: 5687f7acbea9c0804b841378a80bacdfe4a95847488a2c1b56d08d07f301e8b6
                                                                            • Opcode Fuzzy Hash: 9b6a12a9a10a2eb84a4d10ad50dd62a16fbbfa0c76b1f9e3ff82e13ee9c8c473
                                                                            • Instruction Fuzzy Hash: B4516271500209AFCB14AF98D88AFAEBFB8FF44310F04456EF91997352D7B1A954CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B78B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B7920
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B7949
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,005D00D6,000000FF), ref: 005B799B
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7A1A
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 005B7A42
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$Xlength_error@std@@Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 2690457442-4289949731
                                                                            • Opcode ID: 33dd9bb927da2b49e9774d83abbde347b14e4a19c3730cd5c50e51bd9f1434ee
                                                                            • Instruction ID: 7bfc0e0fbbab5c16dd90f7a593002b39396d224966205ea7360e78418ab8fca1
                                                                            • Opcode Fuzzy Hash: 33dd9bb927da2b49e9774d83abbde347b14e4a19c3730cd5c50e51bd9f1434ee
                                                                            • Instruction Fuzzy Hash: 0A61607160460D9FCB24CF58D9848EEBBA6FFC8700720892EE846CB615E731FA55CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CDB10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memmove.VCRUNTIME140(00000000,?,00000000,005CC3D8,?,?,?,?,?,?,?,?,005CC3D8,00000000,?,?), ref: 005CDB33
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCD08,cPKCS5Padding::createPaddedItem-Parameter Error), ref: 005CDBAB
                                                                            • memmove.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 005CDC0E
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCD08,cPKCS5Padding: Calculating error), ref: 005CDC92
                                                                            Strings
                                                                            • cPKCS5Padding: Padding bit error, xrefs: 005CDC39
                                                                            • cPKCS5Padding::createPaddedItem-Parameter Error, xrefs: 005CDB8D
                                                                            • cPKCS5Padding: There is no Padding applied, xrefs: 005CDC58
                                                                            • cPKCS5Padding: Calculating error, xrefs: 005CDC77
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrowmemmove
                                                                            • String ID: cPKCS5Padding: Calculating error$cPKCS5Padding: Padding bit error$cPKCS5Padding: There is no Padding applied$cPKCS5Padding::createPaddedItem-Parameter Error
                                                                            • API String ID: 3420374180-27806664
                                                                            • Opcode ID: 304d05aeab1c6b3b670a033405b12ef78543037a7403f66ef420ec34a8ec3e08
                                                                            • Instruction ID: 77f2ab6f7b749cea8ef7c42575f2adff2f2f083b856f554ccd1e28e346647ad2
                                                                            • Opcode Fuzzy Hash: 304d05aeab1c6b3b670a033405b12ef78543037a7403f66ef420ec34a8ec3e08
                                                                            • Instruction Fuzzy Hash: 334118312002056FCB24AEA8C856FBE7FA5FB85704F64056DE9409B282D7B39D0687F1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CDDA6 Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _com_issue_error.COMSUPP ref: 005CDDC4
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,005B80C5,?,00000000,00000000,?,?,?,?,?,005B80C5), ref: 005CDDD3
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,005B80C5), ref: 005CDDE6
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,005B80C5), ref: 005CDDEE
                                                                            • _com_issue_error.COMSUPP ref: 005CDE01
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 005CDE07
                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,005B80C5), ref: 005CDE18
                                                                            • _com_issue_error.COMSUPP ref: 005CDE29
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _com_issue_error$free$AllocByteCharErrorLastMultiStringWide
                                                                            • String ID:
                                                                            • API String ID: 2419198754-0
                                                                            • Opcode ID: 2e50800aa42479d011b1d5af398c852389fea8217f6a4efc79fb20203f1bd011
                                                                            • Instruction ID: 9af6f73398ecafcb511a4974e58987e09c0da7b834e8ca4505a532b8e328e3cd
                                                                            • Opcode Fuzzy Hash: 2e50800aa42479d011b1d5af398c852389fea8217f6a4efc79fb20203f1bd011
                                                                            • Instruction Fuzzy Hash: 6C11C671A0021A9FDB206BE4984AF9F7B78FF98750F00013EF905E6180D669A940D6F5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA250 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000009,3A04C82C,00000000,?), ref: 005CA288
                                                                              • Part of subcall function 005CA4C0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005CA4EF
                                                                              • Part of subcall function 005CA4C0: memset.VCRUNTIME140(?,00000000,00000000,00000000,?,00000000,?,005CAB20,?,3A04C82C,?,00000000,005C862E,005D1728,000000FF), ref: 005CA50E
                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00000104,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005CA2C0
                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000,005D1670), ref: 005CA309
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,?,?,?,?,?,?,?,?,00000000,005D1670,000000FF,?,005CA219), ref: 005CA376
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,005D1670,000000FF,?,005CA219), ref: 005CA466
                                                                              • Part of subcall function 005CA530: memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,005D1670,000000FF), ref: 005CA591
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleNameXlength_error@std@@$CloseHandleOpenProcessmemmovememset
                                                                            • String ID: vector<T> too long
                                                                            • API String ID: 1534356585-3788999226
                                                                            • Opcode ID: ec146b91da8698ae997a7ce89ff2ae74eb2cb6c75900e0910435bfcb9020b530
                                                                            • Instruction ID: 5a95ac57892357c655417bec56bc5195ae100101c69494c74f3efccf5ae843cb
                                                                            • Opcode Fuzzy Hash: ec146b91da8698ae997a7ce89ff2ae74eb2cb6c75900e0910435bfcb9020b530
                                                                            • Instruction Fuzzy Hash: 6E615C719002499ECF14EBE4CC89FEEBFB9BF85314F140519E816A7292DB70AE05CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B438A
                                                                              • Part of subcall function 005B49E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,005B43E3,00000000,0000023A,?,?,00000000,?,005B42CF,?,00000000,0000023A), ref: 005B49F6
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B43AB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1960685668-4289949731
                                                                            • Opcode ID: 80e99309a9fec16884c88e126955ff3e481bbab0b5c8c779315a8684fa49ffbd
                                                                            • Instruction ID: 21907b5c0d9d1611217707d6a81a7c27938b3e66294b7823a3c461afe7263c46
                                                                            • Opcode Fuzzy Hash: 80e99309a9fec16884c88e126955ff3e481bbab0b5c8c779315a8684fa49ffbd
                                                                            • Instruction Fuzzy Hash: 953182323006108BDB309F9CE841B9BFFE5FB95B51F10492FE55687242D7B1A9508BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000058,?,00000017,?,005B4130,?,00000017,?,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\,00000017), ref: 005B482A
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000058,?,00000017,?,005B4130,?,00000017,?,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\,00000017), ref: 005B484B
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,?,00000017,?,005B4130,?,00000017,?,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\,00000017), ref: 005B4885
                                                                            • memmove.VCRUNTIME140(?,?,?,00000058,?,00000017,?,005B4130,?,00000017,?,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\), ref: 005B48EE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@$Xlength_error@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 3597620626-4289949731
                                                                            • Opcode ID: 5117da969f49a9f25134c4d3bb2cafdb7b221dc07ab5699488e6c0d708005451
                                                                            • Instruction ID: 999b4b59f169fa0019a03cf354b302873704dc46df10711fdbb677e2ac64a158
                                                                            • Opcode Fuzzy Hash: 5117da969f49a9f25134c4d3bb2cafdb7b221dc07ab5699488e6c0d708005451
                                                                            • Instruction Fuzzy Hash: 92318D327057149B87349F68E8848ABFBE5FFD4B113100A2FF556C7612EB31A914CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B45B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45CA
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45ED
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B4608
                                                                            • memmove.VCRUNTIME140(?,?,3A04C82D,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C), ref: 005B466F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$Xout_of_range@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 3326265527-4289949731
                                                                            • Opcode ID: cff48654c9acdcb6cc04982ec63b7a0f1f980254d34570fe4c7945cb66cf3cc9
                                                                            • Instruction ID: 7d3efa2316d41ab40820c49b4ba1099f17dddb1ee198a8c5f15cd993a2683101
                                                                            • Opcode Fuzzy Hash: cff48654c9acdcb6cc04982ec63b7a0f1f980254d34570fe4c7945cb66cf3cc9
                                                                            • Instruction Fuzzy Hash: CB31B4723016459FDB348F5CE840AAABBE5FF95B11B10092FE556CB242D771ED008BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C5854 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C5889
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: 5$Unknown exception$Update libcrypto Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-1910171895
                                                                            • Opcode ID: b918909f03590bd30195b1ffc483a203408e604afffc522d8c5cd8f50a23e929
                                                                            • Instruction ID: 3c4050d7d3c3b4db86f7a56bcb9cc4d4eff930bc20af2d55c85576fabc893c1f
                                                                            • Opcode Fuzzy Hash: b918909f03590bd30195b1ffc483a203408e604afffc522d8c5cd8f50a23e929
                                                                            • Instruction Fuzzy Hash: 16E0E670A00618ABDB25E7688C4EAD97EF4BB44301F4040DBA50597341EA745F448E62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C5A18 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C5A4D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: ;$Unknown exception$Update libssl Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-1428053332
                                                                            • Opcode ID: 7b0dde8d7e2c7e1a01fba412f49071bf7a483151aacbe9d12e6c1eb5938dbc63
                                                                            • Instruction ID: 8f39281961f8ba9ad8385465b1f8c65b4c156735b6dfc09d56f005c5718c0156
                                                                            • Opcode Fuzzy Hash: 7b0dde8d7e2c7e1a01fba412f49071bf7a483151aacbe9d12e6c1eb5938dbc63
                                                                            • Instruction Fuzzy Hash: A4E0E670600614ABDB31E7588D5DBA97EE8BB54305F8000DBA44597341E6745F548A22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C531A Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C534F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: #$Unknown exception$Update PocoNetSSL Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-1002488867
                                                                            • Opcode ID: d24e76fa746e444f663b3bb87e98d902b17b10e9a494ebd87ff47cdaa68b2e04
                                                                            • Instruction ID: 67f534972172c204e0815bdfc4e1ed4dd17382e3d459bf8330824f10dc688171
                                                                            • Opcode Fuzzy Hash: d24e76fa746e444f663b3bb87e98d902b17b10e9a494ebd87ff47cdaa68b2e04
                                                                            • Instruction Fuzzy Hash: 8CE08620640206ABDF34ABA88D0DB6A7EF8BB04300F4000EBA40597341F6755F449A22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C54D8 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C550D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: )$Unknown exception$Update PocoUtil Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-301406755
                                                                            • Opcode ID: 1255b39da62781eb65c5c84c2ccf34ffc2e39cfd99cdf4c9fe747a7bde2e2b58
                                                                            • Instruction ID: cb2e75a1c34fd4b05104484bb187a47cfedfdfebcda632831a53e7ed2168707c
                                                                            • Opcode Fuzzy Hash: 1255b39da62781eb65c5c84c2ccf34ffc2e39cfd99cdf4c9fe747a7bde2e2b58
                                                                            • Instruction Fuzzy Hash: 25E0EC70600614AFDF21E7A88D0DBAA7EE4BB54304F4040EBA445A7341E6B5AE848A22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C5696 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C56CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: /$Unknown exception$Update PocoXML Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-4294564018
                                                                            • Opcode ID: 2c00c44a41a9831790115fb83533354f6658c18ebc0d30425412cb33f3f6a8ee
                                                                            • Instruction ID: fccabc975a2a5ff278441c5f652e03cfcf7d36e6ddcc618bef9d2b3d15c6f11b
                                                                            • Opcode Fuzzy Hash: 2c00c44a41a9831790115fb83533354f6658c18ebc0d30425412cb33f3f6a8ee
                                                                            • Instruction Fuzzy Hash: F1E0E630600214ABDB25A7688D1DAA97FF4FB54704F4045EBA40597342E7B55F848E62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B5BF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,3A04C82C,00000000,?), ref: 005B5C34
                                                                            • _wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,00000001,?,00000000,000000FF,_%d,00000003,?,00000000,000000FF,?,00000000,000000FF), ref: 005B5D80
                                                                            • wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104), ref: 005B5D95
                                                                            • rename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,00000000), ref: 005B5E00
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                              • Part of subcall function 005B4770: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$_stat64i32_wstat64i32renamewcsnlen
                                                                            • String ID: _%d
                                                                            • API String ID: 1077365053-982369593
                                                                            • Opcode ID: a2bd50b6a92fc97f912725a4409ccf16f0f2442d2728dbdd1b270a2607ebd3f2
                                                                            • Instruction ID: d9c1741c3a082e0429b37d5038a21f9e87f5e71a17b5e371164e1859b628f1c2
                                                                            • Opcode Fuzzy Hash: a2bd50b6a92fc97f912725a4409ccf16f0f2442d2728dbdd1b270a2607ebd3f2
                                                                            • Instruction Fuzzy Hash: 158138709102299BDB24DB54CC99BDABBB9FF54300F5006D9E40AA7191DB75AF88CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4484 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C44C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: Unknown exception$`|9n$check Update %s Error: %s$stealth_manager
                                                                            • API String ID: 2453523683-2793709332
                                                                            • Opcode ID: b93955212dd2733c75dd4e6ef7bd91b583ac2bc8dbdfcb083bce0ba2ec479c2f
                                                                            • Instruction ID: 105551cdbeae2c02dc2707bc37e799bbb417255543df98154cd920122c44b75a
                                                                            • Opcode Fuzzy Hash: b93955212dd2733c75dd4e6ef7bd91b583ac2bc8dbdfcb083bce0ba2ec479c2f
                                                                            • Instruction Fuzzy Hash: 91E0C970600259EBEF24DFA9CC58F997AF8BB44201F4044ABE40AA7342D775DA548E21
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C515C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C5191
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: Unknown exception$Update PocoNet Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-2902485909
                                                                            • Opcode ID: 3a44aa8c952d759d6e3499f3694e4788c2a747e05b4f0e0167a2218a4141df60
                                                                            • Instruction ID: fb15adaa422c727054e852aa426f21d63b6b0866c3d015ceb9d6c5771964f85e
                                                                            • Opcode Fuzzy Hash: 3a44aa8c952d759d6e3499f3694e4788c2a747e05b4f0e0167a2218a4141df60
                                                                            • Instruction Fuzzy Hash: 84E0E6206003549FEF61E758CC0DB5D7EE4BB44305F4484DBA40AA7341E6755F449F22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4C22 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C4C57
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: Unknown exception$Update PocoCrypto Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-1206655735
                                                                            • Opcode ID: d2499246c6f8334f7ea4fec9d8c9365a7f4845eade22c7a9f8fd36a18d0b1bec
                                                                            • Instruction ID: 65862bb57d6e49ed1028867fb779bfbf8d09ecffd1344791f72c22dc2865ec59
                                                                            • Opcode Fuzzy Hash: d2499246c6f8334f7ea4fec9d8c9365a7f4845eade22c7a9f8fd36a18d0b1bec
                                                                            • Instruction Fuzzy Hash: 97E0EC60701214ABEB70E7688D5DFAABEF8BB44704F4045EBE409A7381E6749F448E22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4DE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C4E15
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: Unknown exception$Update PocoFoundation Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-816698803
                                                                            • Opcode ID: 3fa9ae4406bc7b4b0388dd92929617aa40060952d11446ad71a45c7d41e50f01
                                                                            • Instruction ID: 220d2f3dd508893910bcfd562a36ae6eb5bb5186b4eff1c6586edf044dc56242
                                                                            • Opcode Fuzzy Hash: 3fa9ae4406bc7b4b0388dd92929617aa40060952d11446ad71a45c7d41e50f01
                                                                            • Instruction Fuzzy Hash: E9E0EC70600218ABDB34A7A88D1DBA97EF8BB44705F4044EBA409A7342E6749E448A32
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C4F9E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005B2590: new.LIBCMT ref: 005B25C2
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 005C4FD3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: __std_exception_destroy
                                                                            • String ID: Unknown exception$Update PocoJSON Error: %s$`|9n$stealth_manager
                                                                            • API String ID: 2453523683-3756654784
                                                                            • Opcode ID: 619e8b7c38ddcff93ddabbb864cd8ef50f53d4c740aa1c55b97ebb83bdc2226b
                                                                            • Instruction ID: 26397a2448784edcbaca80ccf619633102337c428cbbbb5f5a62e5635301adf7
                                                                            • Opcode Fuzzy Hash: 619e8b7c38ddcff93ddabbb864cd8ef50f53d4c740aa1c55b97ebb83bdc2226b
                                                                            • Instruction Fuzzy Hash: 51E0E620600255EFEB30E7A88C1DF5A7EF4BB44705F4044DBA405A7341E7745E44CA32
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6E70 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,005B6E09,?,?,?,?,005B6D58,?), ref: 005B6E8C
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,005B6E09,?,?,?,?,005B6D58,?), ref: 005B6EA7
                                                                            • new.LIBCMT ref: 005B6EAE
                                                                            • memmove.VCRUNTIME140(00000000,?,?), ref: 005B6ED6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$memmove
                                                                            • String ID:
                                                                            • API String ID: 2874220160-0
                                                                            • Opcode ID: 621b6846db9c97e2ccdb4af69cf27a1b5ff06bbca6beadf69260c4dda5ad78ca
                                                                            • Instruction ID: 940cbc53da0eafdafce03560033b9f98fb4248e23df25b8fa02023ea06bbd0e6
                                                                            • Opcode Fuzzy Hash: 621b6846db9c97e2ccdb4af69cf27a1b5ff06bbca6beadf69260c4dda5ad78ca
                                                                            • Instruction Fuzzy Hash: C311B1BA901103AFC714DF68C895DABBBACFB44310714463AE805C3250EB35FD14C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA530 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,00000000,00000104,?,005CA2F6,00000000), ref: 005CA54B
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,00000000,00000104,?,005CA2F6,00000000), ref: 005CA562
                                                                            • new.LIBCMT ref: 005CA569
                                                                            • memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,005D1670,000000FF), ref: 005CA591
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$memmove
                                                                            • String ID:
                                                                            • API String ID: 2874220160-0
                                                                            • Opcode ID: 8d681dc09a3e8e9da28f9ff7969e62d47d99ea1ffa33deb2776476749755bb81
                                                                            • Instruction ID: a9f09aed42ee05d816b387f8da345e0872f5f447cf0843d4583bedf186acbe2c
                                                                            • Opcode Fuzzy Hash: 8d681dc09a3e8e9da28f9ff7969e62d47d99ea1ffa33deb2776476749755bb81
                                                                            • Instruction Fuzzy Hash: 7A11D0B2900106AFCB14DFA8D885D6EBFA8FF44354350863EE905C3250EB70EA54CBD2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B7840 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B7FE9,?,?,?,?,?,?,?,?,00000000,?,005C7015), ref: 005B7850
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B7FE9,?,?,?,?,?,?,?,?,00000000,?,005C7015), ref: 005B7868
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B7FE9,?,?,?,?,?,?,?,?,00000000,?,005C7015), ref: 005B7875
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B7FE9,?,?,?,?,?,?,?,?,00000000,?,005C7015), ref: 005B7882
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B7FE9,?,?,?,?,?,?,?,?,00000000,?,005C7015), ref: 005B788D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 3b0f20f06f8e82b33d95c011aa618e5ecbe2f9e62ef6ecf8e8a5198118efacac
                                                                            • Instruction ID: e1cdd327647c9d43502d534d88f762c3c7e7480dbf360653e38cd3de160f99e2
                                                                            • Opcode Fuzzy Hash: 3b0f20f06f8e82b33d95c011aa618e5ecbe2f9e62ef6ecf8e8a5198118efacac
                                                                            • Instruction Fuzzy Hash: 56F0543894500E5FD728ABA4D65C5ACBFA6FBE8341B100027F44BC2255DB21E944D627
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B62E0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B5F8C,?), ref: 005B62F0
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B5F8C,?), ref: 005B6308
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B5F8C,?), ref: 005B6315
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B5F8C,?), ref: 005B6322
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B5F8C,?), ref: 005B632D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 35810296ba5365477c3274be0209ab1d35bba49bec75ff26b907ab54ed64d717
                                                                            • Instruction ID: 7a2d7edf42937b84e70c3c34362effb9ee7bd5080131fb54bae3ca78254ec52b
                                                                            • Opcode Fuzzy Hash: 35810296ba5365477c3274be0209ab1d35bba49bec75ff26b907ab54ed64d717
                                                                            • Instruction Fuzzy Hash: F5F054349011068BE7186B68D65C6ACBFA5BB54311B10043BE84BC3115DA25EA989623
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6E10 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CB815,?,?,?,?,?,?,?,?,?,00000009,00000000,00000009), ref: 005B6E20
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CB815,?,?,?,?,?,?,?,?,?,00000009,00000000,00000009), ref: 005B6E35
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CB815,?,?,?,?,?,?,?,?,?,00000009,00000000,00000009), ref: 005B6E42
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CB815,?,?,?,?,?,?,?,?,?,00000009,00000000,00000009), ref: 005B6E4F
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005CB815,?,?,?,?,?,?,?,?,?,00000009,00000000,00000009), ref: 005B6E5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 583e8b7b5d456aa4f7f89082075de1869a61e9041fd6ef4c6c4f67ba32bc1c14
                                                                            • Instruction ID: 005b78ba8a7beab9b0eaea2ce2300f466e061f355db0a71b99eddccb16b3e1ec
                                                                            • Opcode Fuzzy Hash: 583e8b7b5d456aa4f7f89082075de1869a61e9041fd6ef4c6c4f67ba32bc1c14
                                                                            • Instruction Fuzzy Hash: F0F0273C8020094BD7286B74D74C1AEBF6ABB14311B000537F85BC1250DB34F9849733
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4710 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4720
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4734
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4741
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B474E
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4759
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: c78359aafc5e86069cad470a4bb4c3d28c97c6ade648de6a019941aad1585857
                                                                            • Instruction ID: 39c434150c60a0374ecebea8e81e48b682166037b7cfda0b92373345e79622f3
                                                                            • Opcode Fuzzy Hash: c78359aafc5e86069cad470a4bb4c3d28c97c6ade648de6a019941aad1585857
                                                                            • Instruction Fuzzy Hash: D4F082349020054BCB286B74DA5D6ACBFA5FB16311B100527E85BC6256DF20A985D963
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C9A20 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005C9A55
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000488,00000488,3A04C82C,?,FFFFFFFF,?), ref: 005C9A71
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,3A04C82C,?,FFFFFFFF,?), ref: 005C9B12
                                                                              • Part of subcall function 005BA4B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,750292F0,?,?,?,005C975E), ref: 005BA4BA
                                                                              • Part of subcall function 005BA4B0: new.LIBCMT ref: 005BA4CB
                                                                              • Part of subcall function 005CC5E0: __RTDynamicCast.VCRUNTIME140(00000000,00000000,84],84],00000000,?,?,?,?,?,005C9B62,00000000,00000000,00000002,?,3A04C82C), ref: 005CC60F
                                                                              • Part of subcall function 005CC5E0: _CxxThrowException.VCRUNTIME140(?,005DCD08,Invalid Argument), ref: 005CC6FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CastDynamicExceptionThrow_stat64i32fopenmallocmemset
                                                                            • String ID: w
                                                                            • API String ID: 3122805426-476252946
                                                                            • Opcode ID: 4a643a080731100fbb2f9a44c499f1ad2bfcbe08a1e17848805e264c2d8025b6
                                                                            • Instruction ID: 0b4d66ad86f548d6d1b7694b6ac09978dcf2aba0bb5541275e1dd29416e7f3bc
                                                                            • Opcode Fuzzy Hash: 4a643a080731100fbb2f9a44c499f1ad2bfcbe08a1e17848805e264c2d8025b6
                                                                            • Instruction Fuzzy Hash: 4AB15D70A002169FDB14DF98C89AFAEBBB5FF88300F14405DF505AB292DBB59D45CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4490 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D,?,?), ref: 005B4508
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D,?,?), ref: 005B4524
                                                                            • memmove.VCRUNTIME140(?,?,?,3A04C82C,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D,?,?), ref: 005B457E
                                                                              • Part of subcall function 005B45B0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45CA
                                                                              • Part of subcall function 005B45B0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B45ED
                                                                              • Part of subcall function 005B45B0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C,3A04C82D), ref: 005B4608
                                                                              • Part of subcall function 005B45B0: memmove.VCRUNTIME140(?,?,3A04C82D,3A04C82C,00000000,?,?,005B44EF,00000000,?,?,3A04C82D,?,?,005B4F78,3A04C82C), ref: 005B466F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$memmove$Xout_of_range@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1879775902-2556327735
                                                                            • Opcode ID: 422992bbc61787a9ea028b535237d347ff5b3c08a567f326ce73b9946d7c48b7
                                                                            • Instruction ID: 472f0e05aec69c3470f624409a40ff9fff5b865c77157885026d47aa6df03960
                                                                            • Opcode Fuzzy Hash: 422992bbc61787a9ea028b535237d347ff5b3c08a567f326ce73b9946d7c48b7
                                                                            • Instruction Fuzzy Hash: 7E31FA32300A109BDB349E5CA880AAAFBE5FF95711710452FE542C7783C771FD548BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B7730 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,005B7004,?,?,?,?,?,?,00000000,00000000), ref: 005B7744
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,005B7004,?,?,?,?,?,?,00000000,00000000), ref: 005B7754
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: 0d8db47b69f6cb7ac8bc96ded195c5c1505e15f41fa0c95cc15c4af71cc1dbdd
                                                                            • Instruction ID: e5ec398a0856a5733dfd8ac02a75a37b14db26cd82b595803233def8d971dd79
                                                                            • Opcode Fuzzy Hash: 0d8db47b69f6cb7ac8bc96ded195c5c1505e15f41fa0c95cc15c4af71cc1dbdd
                                                                            • Instruction Fuzzy Hash: 7421FB353087549BC7314F6C94005AABFA9FFE9B21F10095FE49287392CB71A504C7E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4CD0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(3A04C82C,0000023A,?,00000000), ref: 005B4D58
                                                                            • new.LIBCMT ref: 005B4D5F
                                                                            • new.LIBCMT ref: 005B4D73
                                                                            • memmove.VCRUNTIME140(00000000,?,0000023A,00000000), ref: 005B4DBF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@memmove
                                                                            • String ID:
                                                                            • API String ID: 2663607490-0
                                                                            • Opcode ID: f726180fb73b3c2e020b3fcc307b2f3f9a7ac4c43f01558c4f4abcb5126a3990
                                                                            • Instruction ID: 820e8746f16b077ef32bbedd2240077d096e081002d8ef55afab24ad4b31979c
                                                                            • Opcode Fuzzy Hash: f726180fb73b3c2e020b3fcc307b2f3f9a7ac4c43f01558c4f4abcb5126a3990
                                                                            • Instruction Fuzzy Hash: 7D31A0716006019FDB34CF68D985BAABFE5FB45750F500A2DE8628B782E771B904CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005C94B0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 005C94E2
                                                                              • Part of subcall function 005CE041: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B4D78,00000001,3A04C82C,0000023A,?,00000000), ref: 005CE068
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000030,00000030,3A04C82C), ref: 005C94F8
                                                                            • memset.VCRUNTIME140(00000000,00000000,?,?), ref: 005C95AF
                                                                            • memmove.VCRUNTIME140(?,00000000,?,00000000,00000000,?,?), ref: 005C95BB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: memset$mallocmemmove
                                                                            • String ID:
                                                                            • API String ID: 1346079573-0
                                                                            • Opcode ID: c2927a51bf1761f707c6bf0336c328a96e149970590f99f1adde43337867fd24
                                                                            • Instruction ID: 7240a9df0dfb90e68ce0d69d448cdcdabfe666378553b6b3a30028f41ca82302
                                                                            • Opcode Fuzzy Hash: c2927a51bf1761f707c6bf0336c328a96e149970590f99f1adde43337867fd24
                                                                            • Instruction Fuzzy Hash: 333152B1900605AFDB10DF98C985F9EBFB5FF48360F14826DE918A7782D771A950CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B7F20 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,00000000,?,005C7015,?,?), ref: 005B7F41
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,00000000,?,005C7015,?,?), ref: 005B7F5B
                                                                            • new.LIBCMT ref: 005B7F62
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 9c295464ba600f15a3818371b39d5924ad7fea2545082ffc53beddeb1ccee3a3
                                                                            • Instruction ID: 40e394fa9869e609823aae06c95e0ac9cdc3728ea6d986fe2e3725ad82d4d845
                                                                            • Opcode Fuzzy Hash: 9c295464ba600f15a3818371b39d5924ad7fea2545082ffc53beddeb1ccee3a3
                                                                            • Instruction Fuzzy Hash: 0B31E5B29041099BCB18EF68C9858AEBBF9FFC8300714456DE84A97351E730BA55C794
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CB610 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(00000000,00000009,00000000,?,005CB5D9,00000000,005C862E,00000009), ref: 005CB62B
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(00000000,00000009,00000000,?,005CB5D9,00000000,005C862E,00000009), ref: 005CB646
                                                                            • new.LIBCMT ref: 005CB64D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 9e1605b7db1c738b9dd35cf26a6478c5ca4962fe832d5e4459176078b6500912
                                                                            • Instruction ID: 4fb2291308d65f653db5d0e33a88268e5bf74235b0471c082e583cc159c2dbe7
                                                                            • Opcode Fuzzy Hash: 9e1605b7db1c738b9dd35cf26a6478c5ca4962fe832d5e4459176078b6500912
                                                                            • Instruction Fuzzy Hash: 631190B2500506AFD714DFA8C887E6ABFA8FF48350B14462EF909C7251E771E9A4CBD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CE98D Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 005CE9C1
                                                                            • GetCurrentThreadId.KERNEL32 ref: 005CE9D0
                                                                            • GetCurrentProcessId.KERNEL32 ref: 005CE9D9
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 005CE9E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                            • String ID:
                                                                            • API String ID: 2933794660-0
                                                                            • Opcode ID: 2ca6ee8a6ad06e98a9f0361050e4a60358525af1a97f5d455c07baa24a812072
                                                                            • Instruction ID: 05c2e897000d063104ec34671bc5d9c6d06b37a9b87a88076ce2ed9e6673b0c1
                                                                            • Opcode Fuzzy Hash: 2ca6ee8a6ad06e98a9f0361050e4a60358525af1a97f5d455c07baa24a812072
                                                                            • Instruction Fuzzy Hash: 1B114C71D02208DFCB24DBE8D94ABAEBBF4FB18341F51446BD402E7250DB70AA04DB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CB6C0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,005CB7A7,00000009,00000000,00000009,00000000,00000009), ref: 005CB6D9
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,005CB7A7,00000009,00000000,00000009,00000000,00000009), ref: 005CB6F0
                                                                            • new.LIBCMT ref: 005CB6F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 442cd18056cddcea00bbd9e9d0a135b5185e4150e8819701f5d4a45114befc21
                                                                            • Instruction ID: b757a9c4373bd3d012964db1838c7ffaed928b465d3ce662c98d006a4423348e
                                                                            • Opcode Fuzzy Hash: 442cd18056cddcea00bbd9e9d0a135b5185e4150e8819701f5d4a45114befc21
                                                                            • Instruction Fuzzy Hash: 37F0AEB25041000FA718D7F4E857E1E7B94E764360B04013FF41AC6191F725DDD4D655
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4770 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4783
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B4790
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B479D
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B47A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 87a96d3cffd786e0f3d7310a07c2b40d6edf459f19347744c0aa07bbba3a04a7
                                                                            • Instruction ID: afdfee7a0622a30fdb43a3fb4e09825516808d18af07e94a5b052b45af7fdd41
                                                                            • Opcode Fuzzy Hash: 87a96d3cffd786e0f3d7310a07c2b40d6edf459f19347744c0aa07bbba3a04a7
                                                                            • Instruction Fuzzy Hash: 4EE092749421055FD724ABA4EA4D5ACBFB9FB22301B004026E54AC5216DF70F955DE73
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CB720 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,00000000,00000009,00000000,00000009), ref: 005CB76F
                                                                            • memmove.VCRUNTIME140(?,00000000,?,?,00000000,00000000,00000000,00000000,00000009,00000000,00000009), ref: 005CB8A7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: vector<T> too long
                                                                            • API String ID: 1146228739-3788999226
                                                                            • Opcode ID: 63274946aaefa7f507812794cf8ca43bab4de0557aed18428c67cf6397ffbb02
                                                                            • Instruction ID: f8a1dc6de3ad69b0a1afe961ab66d7362b02b71995c170b64bff0d91fdbf7c60
                                                                            • Opcode Fuzzy Hash: 63274946aaefa7f507812794cf8ca43bab4de0557aed18428c67cf6397ffbb02
                                                                            • Instruction Fuzzy Hash: 44515171A0011A9FCF14DF68CD85DAA7BA9FF84310B088669FC19DB349E770EA14CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CA7B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,3A04C82C,?,00000104,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005CA886
                                                                            • ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,3A04C82C,?,00000104,00000104), ref: 005CA8A6
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4720
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4734
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4741
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B474E
                                                                              • Part of subcall function 005B4710: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005B4B9C,?,?,750292F0,?,750292F0), ref: 005B4759
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Init@locale@std@@Locimp@12@_Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1093751468-2556327735
                                                                            • Opcode ID: 9a42b89808fbe16853654be38e37ac706b0f7a88952434877951201e7f1916d9
                                                                            • Instruction ID: b178db8511707071c215c1d6c00cbaa6bf07db36dda779f6ec3a87d94a3c62f9
                                                                            • Opcode Fuzzy Hash: 9a42b89808fbe16853654be38e37ac706b0f7a88952434877951201e7f1916d9
                                                                            • Instruction Fuzzy Hash: 91513870A00249DFDB14CFA8C849BEEBFF4FF48308F144069E406AB251DB74AA45CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B42E3
                                                                            • memmove.VCRUNTIME140(?,00000000,0000023A,?,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B4337
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B438A
                                                                              • Part of subcall function 005B4370: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,005B42CF,?,00000000,0000023A,?,?,?,005B10A4,Pacific/Marquesas,00000011), ref: 005B43AB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@$Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 3597620626-2556327735
                                                                            • Opcode ID: 6a1ff004e906b1912d2d18b7c649b94ce90249b5a415a7c6da5ec625f8e55865
                                                                            • Instruction ID: e05fea5cabb49a8dc33ac90506287da00771fc7e515ec0efa6715a02c38887fd
                                                                            • Opcode Fuzzy Hash: 6a1ff004e906b1912d2d18b7c649b94ce90249b5a415a7c6da5ec625f8e55865
                                                                            • Instruction Fuzzy Hash: DB31E9363006109BD7309E9CA8809AAFFE9FF95721F24092FF59187743C771AC849BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B40E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000058,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\,00000017), ref: 005B4147
                                                                            • memmove.VCRUNTIME140(?,00000017,00000000,00000058,00000040,00000000,?,005BCC26,SOFTWARE\Classes\CLSID\,00000017), ref: 005B41A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 1146228739-2556327735
                                                                            • Opcode ID: 3b327dcc0d26eb612799f34095e3e549f419cca2f8691253620865fef49335cb
                                                                            • Instruction ID: d7b5582614fbd06c381559380886f03a823eaab5e36f59fcf2112b0b4486029d
                                                                            • Opcode Fuzzy Hash: 3b327dcc0d26eb612799f34095e3e549f419cca2f8691253620865fef49335cb
                                                                            • Instruction Fuzzy Hash: 4D31A6327047119B8B349E5CE8808AAFBF9FFA5751320092FE146C7612D721B984CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B6140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,00000058,00000040,?,005BCC77,\MiscStatus\1,0000000D,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\,00000017), ref: 005B61AD
                                                                            • memmove.VCRUNTIME140(?,00000017,00000000,?,?,00000000,00000058,00000040,?,005BCC77,\MiscStatus\1,0000000D,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a}), ref: 005B61E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 1146228739-2556327735
                                                                            • Opcode ID: a55e4d6181f07233775e8e2d9e18729562aaca3c22b2ec24fcd7c2a37f3efc71
                                                                            • Instruction ID: 5c507c017912d8009352d6290355cdd3719d2859a53c34206a4c000edbdd13b4
                                                                            • Opcode Fuzzy Hash: a55e4d6181f07233775e8e2d9e18729562aaca3c22b2ec24fcd7c2a37f3efc71
                                                                            • Instruction Fuzzy Hash: 0331CE353006149B9B28CE9DEC848AAFBFAFFC5751320452EE446CB202DB34F956C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B7470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,005B7104,?,?,?,?,?,?,00000000,00000000), ref: 005B7484
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,005B7104,?,?,?,?,?,?,00000000,00000000), ref: 005B7497
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: e49ecd172e98c44dfc85f6ad2ec0223159007087c7063eb780fc3c2f77a4e3e2
                                                                            • Instruction ID: 4c343db179d2690a06ddc706ec26f5b3e4d403a6ada327e5a6f5a0323608ec12
                                                                            • Opcode Fuzzy Hash: e49ecd172e98c44dfc85f6ad2ec0223159007087c7063eb780fc3c2f77a4e3e2
                                                                            • Instruction Fuzzy Hash: A221B2317187189BCB345F68B8804A9FFE5FF9C7223104A2FE556C7790D632A914C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005BD350 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryA.KERNEL32(00000040,00000104,3A04C82C), ref: 005BD3A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryWindows
                                                                            • String ID: \sysnative$\system32
                                                                            • API String ID: 3619848164-3725051112
                                                                            • Opcode ID: 883e04514f2e5f29d6e2a009a0554d931ae12a1298df18cbde499f2323b2f46a
                                                                            • Instruction ID: c235629a800b88d6ec33a323ad7ecde392a8c5d909537fd6f2f4ef5561b0018e
                                                                            • Opcode Fuzzy Hash: 883e04514f2e5f29d6e2a009a0554d931ae12a1298df18cbde499f2323b2f46a
                                                                            • Instruction Fuzzy Hash: 09218D70A046589FDB28CF18D80ABEABFF4FB05714F004A9EE54657681D7B46A488FE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,?,?,005B486F,00000000,?,00000058,?,00000017,?,005B4130,?,00000017,?,00000040), ref: 005B4C36
                                                                            Strings
                                                                            • invalid string position, xrefs: 005B4C31
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position
                                                                            • API String ID: 1960685668-1799206989
                                                                            • Opcode ID: aaabfa1f19aae09b526972f24d93823f3087f8ed957bfe58c45736e57ceabfc1
                                                                            • Instruction ID: 802df38ca08a0d7ce05d11ba252a8784e5b35745621b8ecda3333b90beacc243
                                                                            • Opcode Fuzzy Hash: aaabfa1f19aae09b526972f24d93823f3087f8ed957bfe58c45736e57ceabfc1
                                                                            • Instruction Fuzzy Hash: B01193323152149B87349F6DE84489ABBE9FFE4B11301853FE586C7622DB70ED18CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B4930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,005D3638,005D3638,?,005B5038,005D3638,00000001,3A04C82C,00000001,0000001C), ref: 005B4944
                                                                            • memmove.VCRUNTIME140(005D3638,54205547,20505554,20505554,005D3638,005D3638,?,005B5038,005D3638,00000001,3A04C82C), ref: 005B498A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 1146228739-2556327735
                                                                            • Opcode ID: 6361152c2bfb3bd8453925a3bca64f8e6695c2f089a0f60c59a8a7553e5f3435
                                                                            • Instruction ID: d9fdf21b84d6ec753d5c9517e01c9d20a1b42538ab580cf37c488440546a08e8
                                                                            • Opcode Fuzzy Hash: 6361152c2bfb3bd8453925a3bca64f8e6695c2f089a0f60c59a8a7553e5f3435
                                                                            • Instruction Fuzzy Hash: 7B11B4361007115BDB319E5CE4856ABBBA6FB91320F044A2EE9D547683C730A844CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005B49E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,005B43E3,00000000,0000023A,?,?,00000000,?,005B42CF,?,00000000,0000023A), ref: 005B49F6
                                                                            Strings
                                                                            • invalid string position, xrefs: 005B49F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position
                                                                            • API String ID: 1960685668-1799206989
                                                                            • Opcode ID: 835ee59865244a4f4e7c2b3bf59d95c778cc30d0501e38d1d484688d70fac7f7
                                                                            • Instruction ID: 41d5f080462b8fea06e937d4fdda9b6db930e8254a3df335bfcfcdfa870ccaef
                                                                            • Opcode Fuzzy Hash: 835ee59865244a4f4e7c2b3bf59d95c778cc30d0501e38d1d484688d70fac7f7
                                                                            • Instruction Fuzzy Hash: 9411B2323402518FD7309E5CE840A86FBEAFBA5711F14453FE581CB252D7B1E904CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CE02B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005CE316
                                                                            • ___raise_securityfailure.LIBCMT ref: 005CE3FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                            • String ID: 8]
                                                                            • API String ID: 3761405300-1406931365
                                                                            • Opcode ID: 993ac94681653d103ec7995447c9546071c1b8cd58e5b621af9d3d8811bcebff
                                                                            • Instruction ID: ca4949504b2674e4478278dc5b1e2e799976e67ac56083abf631628d90dc2146
                                                                            • Opcode Fuzzy Hash: 993ac94681653d103ec7995447c9546071c1b8cd58e5b621af9d3d8811bcebff
                                                                            • Instruction Fuzzy Hash: CF21E6B45422009EE730EF55F9877183BE4BB28398F14555BE5088F3A0F3B06948EF46
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005CD8E0 Relevance: 5.1, APIs: 4, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _CxxThrowException.VCRUNTIME140(?,005DCD18,00000000), ref: 005CD99B
                                                                            • _CxxThrowException.VCRUNTIME140(005D9344,005DCD18,?,005DCD18,00000000), ref: 005CD9B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2192293716.00000000005B1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 005B0000, based on PE: true
                                                                            • Associated: 00000004.00000002.2192243595.00000000005B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192337315.00000000005D3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192363516.00000000005DE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000004.00000002.2192382739.00000000005E1000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_5b0000_post_install.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow
                                                                            • String ID:
                                                                            • API String ID: 432778473-0
                                                                            • Opcode ID: 11c28b86e41a75c44a859631636a52948b5291dd2cf57fa8ce2e66d03351a3bf
                                                                            • Instruction ID: 907c56afbba7faebc4fe725136d5c6a2d787fd7ae720007b2603bae45b257e71
                                                                            • Opcode Fuzzy Hash: 11c28b86e41a75c44a859631636a52948b5291dd2cf57fa8ce2e66d03351a3bf
                                                                            • Instruction Fuzzy Hash: 5431B6719042096BCB14EFA8CD49FEEBFE8BF49314F14952EF904A2241DBB0A944C6A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:16.2%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:1.1%
                                                                            Total number of Nodes:1381
                                                                            Total number of Limit Nodes:5
                                                                            execution_graph 6450 6a2060 6459 6a1b30 6450->6459 6453 6a20eb 6454 6a2089 SetServiceStatus 6455 6a20df SetEvent 6454->6455 6456 6a20c6 GetLastError 6454->6456 6455->6453 6467 6a1aa0 6456->6467 6460 6a1b8d 6459->6460 6461 6a1b60 6459->6461 6463 6a1bae 6460->6463 6473 6a4f80 6460->6473 6462 6ad23c new 4 API calls 6461->6462 6464 6a1b67 6462->6464 6463->6453 6463->6454 6480 6a4d80 6464->6480 6468 6a1afd 6467->6468 6469 6a1ad0 6467->6469 6468->6455 6470 6ad23c new 4 API calls 6469->6470 6471 6a1ad7 6470->6471 6472 6a4d80 5 API calls 6471->6472 6472->6468 6474 6a4f8d ___scrt_initialize_default_local_stdio_options 6473->6474 6475 6a4fb9 __stdio_common_vsprintf 6474->6475 6483 6a4f20 6475->6483 6477 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6478 6a4fe8 6477->6478 6478->6463 6481 6ad23c new 4 API calls 6480->6481 6482 6a4de2 InitializeCriticalSection 6481->6482 6482->6460 6484 6a4f3b 6483->6484 6485 6a4f65 6483->6485 6484->6485 6488 6a3530 6484->6488 6583 6a9880 GetFileAttributesA 6484->6583 6485->6477 6492 6a354b 6488->6492 6489 6a3ab4 6490 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6489->6490 6491 6a3acc 6490->6491 6491->6484 6492->6489 6493 6a3606 _stat64i32 6492->6493 6494 6a37ee _stat64i32 6493->6494 6495 6a3621 6493->6495 6500 6a3952 fopen 6494->6500 6503 6a380f 6494->6503 6495->6494 6496 6a3631 6495->6496 6498 6a28b0 16 API calls 6496->6498 6499 6a365f 6498->6499 6501 6a369b 6499->6501 6505 6a368b 6499->6505 6500->6489 6507 6a3973 GetModuleFileNameW _wsplitpath_s wcscat_s 6500->6507 6632 6a3ae0 GetLocalTime 6501->6632 6504 6a3829 6503->6504 6512 6a9880 GetFileAttributesA 6503->6512 6504->6500 6686 6a4160 6504->6686 6625 6a40a0 6505->6625 6585 6a4040 6507->6585 6512->6504 6513 6a4670 14 API calls 6516 6a36ba 6513->6516 6515 6a39e2 6592 6a5310 6515->6592 6519 6a2670 4 API calls 6516->6519 6517 6a3881 6520 6a3ae0 25 API calls 6517->6520 6522 6a36c9 GetFileAttributesA 6519->6522 6524 6a388c 6520->6524 6521 6a39fa 6607 6a7c40 GetLocalTime 6521->6607 6526 6a36e9 6522->6526 6523 6a40a0 17 API calls 6523->6517 6527 6a4670 14 API calls 6524->6527 6530 6a3706 6526->6530 6639 6a98a0 _mkdir 6526->6639 6529 6a38a0 6527->6529 6532 6a2670 4 API calls 6529->6532 6534 6a40a0 17 API calls 6530->6534 6536 6a38af 6532->6536 6535 6a3716 fopen 6534->6535 6543 6a379c 6535->6543 6544 6a3737 6535->6544 6538 6a9880 GetFileAttributesA 6536->6538 6541 6a38c8 6538->6541 6539 6a3a5d 6617 6a2670 6539->6617 6545 6a38e5 6541->6545 6549 6a98a0 2 API calls 6541->6549 6642 6a3b70 6543->6642 6548 6a7c40 25 API calls 6544->6548 6550 6a40a0 17 API calls 6545->6550 6553 6a3742 6548->6553 6549->6545 6554 6a38f5 6550->6554 6551 6a2670 4 API calls 6555 6a3a76 6551->6555 6560 6a3090 __stdio_common_vsprintf 6553->6560 6557 6a4c10 16 API calls 6554->6557 6621 6a2630 6555->6621 6556 6a4c10 16 API calls 6559 6a37b8 6556->6559 6561 6a390a 6557->6561 6563 6a4be0 15 API calls 6559->6563 6564 6a3761 6560->6564 6565 6a4be0 15 API calls 6561->6565 6566 6a37cd 6563->6566 6567 6a2670 4 API calls 6564->6567 6568 6a391f 6565->6568 6680 6a40e0 6566->6680 6571 6a376f fwrite fclose 6567->6571 6572 6a40e0 5 API calls 6568->6572 6571->6543 6574 6a392a 6572->6574 6575 6a2670 4 API calls 6574->6575 6578 6a3935 6575->6578 6576 6a2670 4 API calls 6579 6a37e3 6576->6579 6580 6a2670 4 API calls 6578->6580 6579->6578 6581 6a3940 6580->6581 6582 6a2670 4 API calls 6581->6582 6582->6500 6584 6a988c 6583->6584 6584->6484 6586 6a4073 6585->6586 6587 6a4061 6585->6587 6590 6a4190 20 API calls 6586->6590 6588 6a4190 20 API calls 6587->6588 6589 6a406c 6588->6589 6589->6515 6591 6a4099 6590->6591 6591->6515 6593 6a535c WideCharToMultiByte 6592->6593 6594 6a533d 6592->6594 6689 6a58c0 6593->6689 6595 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6594->6595 6596 6a5358 6595->6596 6596->6521 6601 6a26b0 memmove 6602 6a53e0 6601->6602 6603 6a53f4 6602->6603 6604 6a2aa0 4 API calls 6602->6604 6605 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6603->6605 6604->6603 6606 6a5403 6605->6606 6606->6521 6698 6a3060 6607->6698 6609 6a7c95 6610 6a27b0 18 API calls 6609->6610 6611 6a7cd5 6610->6611 6612 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6611->6612 6613 6a3a0b GetCurrentProcessId 6612->6613 6614 6a3090 6613->6614 6702 6a3050 6614->6702 6616 6a30a8 __stdio_common_vsprintf 6616->6539 6618 6a267b 6617->6618 6619 6a2684 6617->6619 6620 6a2aa0 4 API calls 6618->6620 6619->6551 6620->6619 6622 6a263b 6621->6622 6623 6a2644 fwrite fclose 6621->6623 6624 6a2a40 5 API calls 6622->6624 6623->6489 6624->6623 6626 6a40ac 6625->6626 6628 6a40ba 6625->6628 6627 6a4550 17 API calls 6626->6627 6629 6a40b5 6627->6629 6628->6628 6630 6a4550 17 API calls 6628->6630 6629->6501 6631 6a40d1 6630->6631 6631->6501 6633 6a3060 __stdio_common_vsprintf_s 6632->6633 6634 6a3b21 6633->6634 6635 6a27b0 18 API calls 6634->6635 6636 6a3b5a 6635->6636 6637 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6636->6637 6638 6a36a6 6637->6638 6638->6513 6640 6a98be 6639->6640 6641 6a98b1 _errno 6639->6641 6640->6530 6641->6640 6643 6a3ba6 _stat64i32 6642->6643 6645 6a3bc8 6643->6645 6678 6a3bc1 6643->6678 6703 6a5610 6645->6703 6646 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6648 6a37a3 6646->6648 6648->6556 6649 6a3be1 6716 6a6f10 6649->6716 6652 6a4290 18 API calls 6653 6a3c37 6652->6653 6654 6a3c72 6653->6654 6655 6a43b0 18 API calls 6653->6655 6656 6a4490 16 API calls 6654->6656 6655->6654 6657 6a3c88 6656->6657 6658 6a43b0 18 API calls 6657->6658 6659 6a3c9a 6658->6659 6660 6a4490 16 API calls 6659->6660 6661 6a3cb0 6660->6661 6782 6a4cf0 6661->6782 6663 6a3cf1 _wstat64i32 6663->6661 6664 6a3d09 wcsnlen 6663->6664 6785 6a5520 6664->6785 6666 6a3d2d 6667 6a5520 21 API calls 6666->6667 6668 6a3d56 rename 6667->6668 6669 6a3d99 6668->6669 6670 6a3da6 6668->6670 6671 6a2aa0 4 API calls 6669->6671 6672 6a3dd9 6670->6672 6673 6a2aa0 4 API calls 6670->6673 6671->6670 6674 6a3e0c 6672->6674 6675 6a2a40 5 API calls 6672->6675 6673->6672 6798 6a3e70 6674->6798 6675->6674 6678->6646 6679 6a2a40 5 API calls 6679->6678 6681 6a410a 6680->6681 6682 6a37d8 6680->6682 6683 6a411b 6681->6683 6684 6a2aa0 4 API calls 6681->6684 6682->6576 6685 6a29d0 memmove 6683->6685 6684->6683 6685->6682 6687 6a28b0 16 API calls 6686->6687 6688 6a3843 6687->6688 6688->6517 6688->6523 6690 6a58da 6689->6690 6691 6a58cf ?_Xlength_error@std@@YAXPBD 6689->6691 6692 6a58df ?_Xlength_error@std@@YAXPBD 6690->6692 6693 6a58ea 6690->6693 6691->6690 6692->6693 6694 6a2c40 10 API calls 6693->6694 6695 6a58f8 6693->6695 6694->6695 6696 6a53a3 WideCharToMultiByte 6695->6696 6697 6a5946 memset 6695->6697 6696->6601 6697->6696 6701 6a3050 6698->6701 6700 6a3078 __stdio_common_vsprintf_s 6700->6609 6701->6700 6702->6616 6704 6a565e MultiByteToWideChar 6703->6704 6705 6a563e 6703->6705 6706 6a5700 14 API calls 6704->6706 6707 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6705->6707 6708 6a5695 MultiByteToWideChar 6706->6708 6709 6a565a 6707->6709 6710 6a5850 memmove 6708->6710 6709->6649 6712 6a56d8 6710->6712 6711 6a56ec 6714 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6711->6714 6712->6711 6713 6a2a40 5 API calls 6712->6713 6713->6711 6715 6a56fb 6714->6715 6715->6649 6717 6a6f54 6716->6717 6718 6a6f70 6717->6718 6719 6a4290 18 API calls 6717->6719 6814 6a7a70 6718->6814 6719->6718 6724 6a7025 6864 6a6c10 6724->6864 6729 6a70cd 6887 6a6c50 6729->6887 6736 6a6fc2 6751 6a5850 memmove 6736->6751 6737 6a63c0 36 API calls 6742 6a7050 6737->6742 6738 6a7175 6915 6a6c90 6738->6915 6739 6a6ffb 6739->6724 6749 6a2a40 5 API calls 6739->6749 6740 6a6fe9 6740->6739 6744 6a2a40 5 API calls 6740->6744 6741 6a2a40 5 API calls 6741->6736 6746 6a7091 6742->6746 6752 6a706a 6742->6752 6757 6a2a40 5 API calls 6742->6757 6744->6739 6750 6a70a3 6746->6750 6755 6a2a40 5 API calls 6746->6755 6749->6724 6750->6729 6762 6a2a40 5 API calls 6750->6762 6751->6740 6768 6a5850 memmove 6752->6768 6753 6a63c0 36 API calls 6758 6a70f8 6753->6758 6754 6a7219 6756 6a722b 6754->6756 6761 6a2a40 5 API calls 6754->6761 6755->6750 6763 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6756->6763 6757->6752 6764 6a7139 6758->6764 6769 6a7112 6758->6769 6772 6a2a40 5 API calls 6758->6772 6761->6756 6762->6729 6767 6a3bfc 6763->6767 6766 6a714b 6764->6766 6771 6a2a40 5 API calls 6764->6771 6765 6a63c0 36 API calls 6770 6a71a0 6765->6770 6766->6738 6774 6a2a40 5 API calls 6766->6774 6767->6652 6768->6746 6775 6a5850 memmove 6769->6775 6773 6a71e1 6770->6773 6776 6a71ba 6770->6776 6778 6a2a40 5 API calls 6770->6778 6771->6766 6772->6769 6777 6a71f3 6773->6777 6779 6a2a40 5 API calls 6773->6779 6774->6738 6775->6764 6781 6a5850 memmove 6776->6781 6777->6754 6780 6a2a40 5 API calls 6777->6780 6778->6776 6779->6777 6780->6754 6781->6773 7091 6a3050 6782->7091 6784 6a4d0a __stdio_common_vswprintf_s 6784->6663 6786 6a554e 6785->6786 6787 6a556d WideCharToMultiByte 6785->6787 6788 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6786->6788 6789 6a58c0 13 API calls 6787->6789 6790 6a5569 6788->6790 6791 6a55a6 WideCharToMultiByte 6789->6791 6790->6666 6792 6a26b0 memmove 6791->6792 6793 6a55da 6792->6793 6794 6a55ee 6793->6794 6795 6a2aa0 4 API calls 6793->6795 6796 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6794->6796 6795->6794 6797 6a55fd 6796->6797 6797->6666 6803 6a3ea9 6798->6803 6799 6a3f0c 6801 6a2a40 5 API calls 6799->6801 6802 6a3f3e 6799->6802 6801->6802 6805 6a3f6d 6802->6805 6807 6a2a40 5 API calls 6802->6807 6803->6799 7092 6a4d30 6803->7092 6808 6a3f9c 6805->6808 6809 6a2a40 5 API calls 6805->6809 6807->6805 6810 6a3fcb 6808->6810 6811 6a2a40 5 API calls 6808->6811 6809->6808 6812 6a3e34 6810->6812 6813 6a2a40 5 API calls 6810->6813 6811->6810 6812->6678 6812->6679 6813->6812 6815 6a7aca ?_Init@locale@std@@CAPAV_Locimp@12@_N 6814->6815 6817 6a7b0a 6815->6817 6943 6a7810 6817->6943 6819 6a7b44 6954 6a78f0 6819->6954 6822 6a7b7a 6824 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6822->6824 6823 6a2a40 5 API calls 6823->6822 6825 6a6f79 6824->6825 6826 6a6bd0 6825->6826 6827 6a6500 46 API calls 6826->6827 6828 6a6be4 6827->6828 6829 6a6bff 6828->6829 6830 6a2a40 5 API calls 6828->6830 6829->6724 6831 6a6500 6829->6831 6830->6829 6832 6a6573 6831->6832 6833 6a66a9 6832->6833 7023 6a6d50 6832->7023 6834 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6833->6834 6836 6a66c2 6834->6836 6854 6a63c0 ?_Init@locale@std@@CAPAV_Locimp@12@_N 6836->6854 6837 6a65a8 6839 6a65d4 6837->6839 7027 6a7310 6837->7027 7040 6a74a0 6839->7040 6842 6a4290 18 API calls 6843 6a6609 6842->6843 6844 6a662b 6843->6844 6846 6a2a40 5 API calls 6843->6846 7063 6a6cd0 6844->7063 6846->6844 6847 6a6685 6850 6a2a40 5 API calls 6847->6850 6851 6a6697 6847->6851 6848 6a78f0 30 API calls 6852 6a6659 6848->6852 6849 6a7310 46 API calls 6849->6852 6850->6851 6851->6833 6853 6a2a40 5 API calls 6851->6853 6852->6847 6852->6848 6852->6849 6853->6833 6855 6a6435 6854->6855 6856 6a7810 29 API calls 6855->6856 6857 6a646f 6856->6857 6858 6a5850 memmove 6857->6858 6859 6a64a6 6858->6859 6860 6a64db 6859->6860 6861 6a2a40 5 API calls 6859->6861 6862 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6860->6862 6861->6860 6863 6a64f4 6862->6863 6863->6736 6863->6740 6863->6741 6865 6a66d0 46 API calls 6864->6865 6866 6a6c24 6865->6866 6867 6a6c3f 6866->6867 6868 6a2a40 5 API calls 6866->6868 6867->6729 6869 6a66d0 6867->6869 6868->6867 6870 6a6723 6869->6870 6886 6a6705 6869->6886 6871 6a6d50 46 API calls 6870->6871 6873 6a672c 6871->6873 6872 6a5850 memmove 6874 6a67b3 6872->6874 6876 6a7310 46 API calls 6873->6876 6877 6a6760 6873->6877 6875 6a67d0 6874->6875 6879 6a2a40 5 API calls 6874->6879 6880 6a67fe 6875->6880 6882 6a2a40 5 API calls 6875->6882 6876->6873 6881 6a74a0 46 API calls 6877->6881 6878 6a6829 6878->6737 6879->6875 6880->6878 6884 6a2a40 5 API calls 6880->6884 6883 6a676a 6881->6883 6882->6880 6885 6a4290 18 API calls 6883->6885 6884->6878 6885->6886 6886->6872 6888 6a6840 46 API calls 6887->6888 6889 6a6c64 6888->6889 6890 6a6c7f 6889->6890 6891 6a2a40 5 API calls 6889->6891 6890->6738 6892 6a6840 6890->6892 6891->6890 6893 6a66d0 46 API calls 6892->6893 6894 6a687f 6893->6894 6895 6a4290 18 API calls 6894->6895 6896 6a68a6 6895->6896 6897 6a68bc 6896->6897 6898 6a2a40 5 API calls 6896->6898 6899 6a69c0 46 API calls 6897->6899 6898->6897 6900 6a68db 6899->6900 6901 6a4290 18 API calls 6900->6901 6902 6a68ff 6901->6902 6903 6a6915 6902->6903 6905 6a2a40 5 API calls 6902->6905 6904 6a6935 6903->6904 6906 6a57e0 14 API calls 6903->6906 6907 6a7a70 45 API calls 6904->6907 6905->6903 6906->6904 6908 6a6963 6907->6908 6909 6a6975 6908->6909 6910 6a2a40 5 API calls 6908->6910 6911 6a699b 6909->6911 6912 6a2a40 5 API calls 6909->6912 6910->6909 6913 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6911->6913 6912->6911 6914 6a69b4 6913->6914 6914->6753 6916 6a69c0 46 API calls 6915->6916 6917 6a6ca4 6916->6917 6918 6a6cbf 6917->6918 6919 6a2a40 5 API calls 6917->6919 6918->6754 6920 6a69c0 6918->6920 6919->6918 6921 6a66d0 46 API calls 6920->6921 6922 6a6a01 6921->6922 6923 6a4290 18 API calls 6922->6923 6924 6a6a28 6923->6924 6925 6a2a40 5 API calls 6924->6925 6927 6a6a3e 6924->6927 6925->6927 6926 6a6ac7 6928 6a5850 memmove 6926->6928 6927->6926 6930 6a7460 18 API calls 6927->6930 6929 6a6b05 6928->6929 6931 6a6b22 6929->6931 6935 6a2a40 5 API calls 6929->6935 6932 6a6ab3 6930->6932 6933 6a6b50 6931->6933 6938 6a2a40 5 API calls 6931->6938 6934 6a7a70 45 API calls 6932->6934 6936 6a6b7e 6933->6936 6939 6a2a40 5 API calls 6933->6939 6934->6926 6935->6931 6937 6a6baa 6936->6937 6940 6a2a40 5 API calls 6936->6940 6941 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6937->6941 6938->6933 6939->6936 6940->6937 6942 6a6bc4 6941->6942 6942->6765 6944 6a782b 6943->6944 6945 6a785f 6943->6945 6946 6a7848 6944->6946 6947 6a7831 6944->6947 6966 6a59d0 6945->6966 6949 6a47b0 2 API calls 6946->6949 6948 6a47b0 2 API calls 6947->6948 6951 6a7840 6948->6951 6952 6a7857 6949->6952 6951->6819 6952->6819 6953 6a787f 6953->6819 6955 6a792b 6954->6955 6956 6a4190 20 API calls 6955->6956 6964 6a7963 6955->6964 6956->6964 6957 6a7a23 6958 6a4490 16 API calls 6957->6958 6959 6a7a32 6958->6959 6960 6a7a44 6959->6960 6961 6a2a40 5 API calls 6959->6961 6962 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6960->6962 6961->6960 6963 6a7a5e 6962->6963 6963->6822 6963->6823 6964->6957 7018 6a57e0 6964->7018 6967 6a5a31 6966->6967 6968 6a59e1 6966->6968 6969 6a5a3b ?_Xout_of_range@std@@YAXPBD 6967->6969 6970 6a5a46 6967->6970 6968->6967 6974 6a5a08 6968->6974 6969->6970 6971 6a5a64 ?_Xlength_error@std@@YAXPBD 6970->6971 6975 6a5a6f 6970->6975 6971->6975 6972 6a5aca 6973 6a4760 13 API calls 6972->6973 6982 6a5b6a 6972->6982 6981 6a5ae9 6973->6981 6984 6a5ba0 6974->6984 6975->6972 6976 6a5aa0 memmove 6975->6976 6976->6972 6977 6a5b46 6980 6a5b56 memmove 6977->6980 6977->6982 6980->6982 6981->6977 6981->6982 6983 6a5b20 memmove 6981->6983 6982->6953 6983->6977 6985 6a5bbe 6984->6985 6986 6a5bb3 ?_Xout_of_range@std@@YAXPBD 6984->6986 6987 6a5bd8 6985->6987 6988 6a5bcd ?_Xout_of_range@std@@YAXPBD 6985->6988 6986->6985 6989 6a5c08 ?_Xlength_error@std@@YAXPBD 6987->6989 6990 6a5c13 6987->6990 6988->6987 6989->6990 6991 6a5c31 6990->6991 6992 6a4760 13 API calls 6990->6992 6993 6a5c7b 6991->6993 6997 6a5c3e 6991->6997 6992->6991 6994 6a5d04 6993->6994 7000 6a5c83 6993->7000 6995 6a5d8d 6994->6995 7001 6a5d0c 6994->7001 6996 6a5e09 6995->6996 7002 6a5d94 6995->7002 7004 6a5e89 6996->7004 7005 6a5e13 6996->7005 6998 6a5c5e memmove 6997->6998 6999 6a5a29 6997->6999 6998->6999 6999->6953 7003 6a5ca7 memmove 7000->7003 7010 6a5cc9 7000->7010 7006 6a5d2d memmove 7001->7006 7012 6a5d45 7001->7012 7007 6a30d0 memmove 7002->7007 7003->7010 7008 6a30d0 memmove 7004->7008 7009 6a30d0 memmove 7005->7009 7006->7012 7017 6a5dd1 7007->7017 7014 6a5ebf 7008->7014 7009->7017 7010->6999 7011 6a5ce5 memmove 7010->7011 7011->6999 7012->6999 7013 6a5d69 memmove 7012->7013 7013->6999 7016 6a30d0 memmove 7014->7016 7015 6a30d0 memmove 7015->6999 7016->7017 7017->7015 7019 6a5801 7018->7019 7020 6a57f6 ?_Xlength_error@std@@YAXPBD 7018->7020 7021 6a5811 7019->7021 7022 6a4760 13 API calls 7019->7022 7020->7019 7021->6957 7022->7021 7024 6a6d9c 7023->7024 7025 6a74a0 46 API calls 7024->7025 7026 6a6db0 7025->7026 7026->6837 7067 6a6dd0 7027->7067 7029 6a7322 7030 6a732f 7029->7030 7036 6a7342 7029->7036 7031 6a74a0 46 API calls 7030->7031 7032 6a7339 7031->7032 7032->6837 7033 6a74a0 46 API calls 7034 6a7448 7033->7034 7034->6837 7035 6a73c8 7035->7033 7036->7035 7037 6a73b8 7036->7037 7038 6a74a0 46 API calls 7037->7038 7039 6a73bf 7038->7039 7039->6837 7041 6a6dd0 5 API calls 7040->7041 7042 6a74f0 7041->7042 7044 6a7502 7042->7044 7050 6a7517 7042->7050 7061 6a7550 7042->7061 7075 6a7460 7044->7075 7047 6a7688 7049 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7047->7049 7048 6a2a40 5 API calls 7048->7047 7052 6a65e1 7049->7052 7053 6a7555 7050->7053 7054 6a7546 7050->7054 7051 6a763a 7060 6a2a40 5 API calls 7051->7060 7051->7061 7052->6842 7053->7061 7062 6a7460 18 API calls 7053->7062 7078 6a7890 7054->7078 7055 6a761d 7059 6a5850 memmove 7055->7059 7056 6a7510 7056->7051 7056->7055 7058 6a2a40 5 API calls 7056->7058 7058->7055 7059->7051 7060->7061 7082 6a7ba0 7061->7082 7062->7056 7064 6a6d19 7063->7064 7065 6a74a0 46 API calls 7064->7065 7066 6a6d2d 7065->7066 7066->6852 7068 6a6ea1 7067->7068 7071 6a6ded 7067->7071 7069 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7068->7069 7070 6a6ecc 7069->7070 7070->7029 7071->7068 7072 6a6e67 7071->7072 7073 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7072->7073 7074 6a6e9d 7073->7074 7074->7029 7076 6a4290 18 API calls 7075->7076 7077 6a7490 7076->7077 7077->7056 7079 6a789c 7078->7079 7081 6a78a6 7078->7081 7080 6a48d0 12 API calls 7079->7080 7080->7081 7081->7061 7083 6a7a70 45 API calls 7082->7083 7084 6a7bd4 7083->7084 7085 6a7c12 7084->7085 7086 6a7beb 7084->7086 7088 6a2a40 5 API calls 7084->7088 7087 6a7676 7085->7087 7089 6a2a40 5 API calls 7085->7089 7090 6a5850 memmove 7086->7090 7087->7047 7087->7048 7088->7086 7089->7087 7090->7085 7091->6784 7093 6a3ee3 7092->7093 7095 6a4d37 7092->7095 7096 6a4860 7093->7096 7094 6a2aa0 4 API calls 7094->7095 7095->7093 7095->7094 7097 6a4870 _invalid_parameter_noinfo_noreturn 7096->7097 7098 6a4876 7096->7098 7097->7098 7099 6a48b3 7098->7099 7100 6a4888 _invalid_parameter_noinfo_noreturn 7098->7100 7101 6a488e 7098->7101 7099->6799 7100->7101 7102 6a489b 7101->7102 7103 6a4895 _invalid_parameter_noinfo_noreturn 7101->7103 7104 6a48a8 7102->7104 7105 6a48a2 _invalid_parameter_noinfo_noreturn 7102->7105 7103->7102 7104->7099 7106 6a48ad _invalid_parameter_noinfo_noreturn 7104->7106 7105->7104 7106->7099 7107 6a6280 7108 6a6288 7107->7108 7109 6a6299 7107->7109 7111 6a9ae0 7108->7111 7112 6a9b00 GetThreadId GetCurrentThreadId 7111->7112 7113 6a9b25 CreateThread 7111->7113 7114 6a9b45 7112->7114 7115 6a9b15 CloseHandle 7112->7115 7113->7114 7118 6a9c10 7113->7118 7116 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7114->7116 7115->7113 7117 6a9b50 7116->7117 7117->7109 7119 6a9c4f 7118->7119 7120 6a9c54 7118->7120 7124 6a62c0 7119->7124 7121 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7120->7121 7122 6a9c6e 7121->7122 7125 6a62f8 7124->7125 7129 6a9ae0 9 API calls 7125->7129 7126 6a6328 7127 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7126->7127 7128 6a6351 7127->7128 7128->7120 7129->7126 5745 6ad5cb 5746 6ad5d7 ___scrt_is_nonwritable_in_current_image 5745->5746 5764 6ad2e8 5746->5764 5748 6ad5de 5750 6ad607 5748->5750 5793 6add27 IsProcessorFeaturePresent 5748->5793 5751 6ad60b _initterm_e 5750->5751 5754 6ad654 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 5750->5754 5752 6ad637 _initterm 5751->5752 5763 6ad626 ___scrt_is_nonwritable_in_current_image ___scrt_uninitialize_crt 5751->5763 5752->5754 5753 6ad6a7 __p___wargv __p___argc _get_initial_wide_environment 5768 6a2e40 memset 5753->5768 5754->5753 5758 6ad69f _register_thread_local_exe_atexit_callback 5754->5758 5758->5753 5760 6ad6d8 5762 6ad6dc _cexit 5760->5762 5760->5763 5761 6ad6d2 exit 5761->5760 5762->5763 5765 6ad2f1 5764->5765 5797 6adb7d IsProcessorFeaturePresent 5765->5797 5767 6ad2fd ___scrt_uninitialize_crt 5767->5748 5799 6aa140 5768->5799 5774 6a2eca 6035 6a5410 5774->6035 5776 6a2edb 5777 6a2ef3 wcscpy_s StartServiceCtrlDispatcherW 5776->5777 6057 6a2aa0 5776->6057 5779 6a2f58 GetLastError 5777->5779 5780 6a2fa4 5777->5780 5781 6a2f6b 5779->5781 5782 6a2f78 5779->5782 5783 6a2fbc 5780->5783 5786 6a2a40 5 API calls 5780->5786 6067 6a2a40 5781->6067 6078 6aa540 5782->6078 5787 6aa540 9 API calls 5783->5787 5786->5783 5788 6a2fa0 5787->5788 6050 6ad22b 5788->6050 5790 6a2ffe 5791 6ade42 GetModuleHandleW 5790->5791 5792 6ad6ce 5791->5792 5792->5760 5792->5761 5794 6add3d 5793->5794 5795 6add42 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5793->5795 5794->5795 5796 6ade2f 5795->5796 5796->5748 5798 6adba3 5797->5798 5798->5767 6094 6a89f0 5799->6094 5803 6aa24e 6097 6a4190 5803->6097 5805 6aa286 5806 6a4190 20 API calls 5805->5806 5807 6aa2a9 5806->5807 6109 6a4490 5807->6109 5811 6aa2d7 6130 6ad23c 5811->6130 5814 6a4190 20 API calls 5815 6aa318 5814->5815 6137 6a4290 5815->6137 5817 6aa34c 6152 6ac810 5817->6152 5822 6aa3b2 5824 6aa3c8 5822->5824 5827 6a2aa0 4 API calls 5822->5827 5823 6aa389 6186 6a29d0 5823->6186 6172 6aa8b0 GetWindowsDirectoryA 5824->6172 5826 6a2aa0 4 API calls 5826->5823 5827->5824 5829 6aa413 5832 6aa429 5829->5832 5834 6a2aa0 4 API calls 5829->5834 5831 6aa3eb 5838 6a29d0 memmove 5831->5838 6180 6aaac0 SHGetSpecialFolderPathA 5832->6180 5833 6a2aa0 4 API calls 5833->5831 5834->5832 5837 6aa46d 5840 6aa483 5837->5840 5842 6a2aa0 4 API calls 5837->5842 5838->5829 5839 6aa448 5845 6a29d0 memmove 5839->5845 5843 6aaac0 24 API calls 5840->5843 5841 6a2aa0 4 API calls 5841->5839 5842->5840 5844 6aa48b 5843->5844 5846 6aa4c7 5844->5846 5847 6aa4a2 5844->5847 5849 6a2aa0 4 API calls 5844->5849 5845->5837 5848 6aa4d9 5846->5848 5850 6a2aa0 4 API calls 5846->5850 5854 6a29d0 memmove 5847->5854 5851 6aa4eb 5848->5851 5852 6a2a40 5 API calls 5848->5852 5849->5847 5850->5848 5853 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 5851->5853 5852->5851 5855 6a2ea7 5853->5855 5854->5846 5856 6aacc0 5855->5856 6309 6a4ad0 5856->6309 5863 6aad3e 5865 6aad66 5863->5865 5866 6a2aa0 4 API calls 5863->5866 5864 6a2aa0 4 API calls 5864->5863 5867 6a4ad0 19 API calls 5865->5867 5866->5865 5868 6aad92 5867->5868 5869 6a4be0 15 API calls 5868->5869 5870 6aada8 5869->5870 5871 6a98d0 18 API calls 5870->5871 5872 6aadbe 5871->5872 5873 6a4be0 15 API calls 5872->5873 5874 6aadd4 5873->5874 6328 6ac160 5874->6328 5876 6aadf2 5877 6aae36 5876->5877 5879 6aae11 5876->5879 5882 6a2aa0 4 API calls 5876->5882 5878 6aae4b 5877->5878 5880 6a2aa0 4 API calls 5877->5880 5881 6aae78 5878->5881 5883 6a2aa0 4 API calls 5878->5883 5887 6a29d0 memmove 5879->5887 5880->5878 5884 6aaeab 5881->5884 5885 6a2aa0 4 API calls 5881->5885 5882->5879 5883->5881 5886 6aaedc 5884->5886 5888 6a2aa0 4 API calls 5884->5888 5885->5884 6335 6a4c10 5886->6335 5887->5877 5888->5886 5891 6ac160 9 API calls 5892 6aaf14 5891->5892 5893 6aaf58 5892->5893 5894 6aaf33 5892->5894 5896 6a2aa0 4 API calls 5892->5896 5895 6aaf6e 5893->5895 5897 6a2aa0 4 API calls 5893->5897 5900 6a29d0 memmove 5894->5900 5898 6a4c10 16 API calls 5895->5898 5896->5894 5897->5895 5899 6aaf88 5898->5899 5901 6ac160 9 API calls 5899->5901 5900->5893 5902 6aafa6 5901->5902 5903 6aafea 5902->5903 5904 6aafc5 5902->5904 5906 6a2aa0 4 API calls 5902->5906 5905 6ab000 5903->5905 5907 6a2aa0 4 API calls 5903->5907 5910 6a29d0 memmove 5904->5910 5908 6a4c10 16 API calls 5905->5908 5906->5904 5907->5905 5909 6ab01a 5908->5909 5911 6ac160 9 API calls 5909->5911 5910->5903 5912 6ab038 5911->5912 5913 6ab07c 5912->5913 5915 6a2aa0 4 API calls 5912->5915 5916 6ab057 5912->5916 5914 6ab092 5913->5914 5917 6a2aa0 4 API calls 5913->5917 5918 6a4c10 16 API calls 5914->5918 5915->5916 5920 6a29d0 memmove 5916->5920 5917->5914 5919 6ab0ac 5918->5919 5921 6ac160 9 API calls 5919->5921 5920->5913 5922 6ab0ca 5921->5922 5923 6ab10e 5922->5923 5924 6ab0e9 5922->5924 5926 6a2aa0 4 API calls 5922->5926 5925 6ab124 5923->5925 5927 6a2aa0 4 API calls 5923->5927 5930 6a29d0 memmove 5924->5930 5928 6a4c10 16 API calls 5925->5928 5926->5924 5927->5925 5929 6ab13e 5928->5929 5931 6ac160 9 API calls 5929->5931 5930->5923 5932 6ab15c 5931->5932 5933 6ab1a0 5932->5933 5934 6ab17b 5932->5934 5936 6a2aa0 4 API calls 5932->5936 5935 6ab1b6 5933->5935 5937 6a2aa0 4 API calls 5933->5937 5940 6a29d0 memmove 5934->5940 5938 6a4c10 16 API calls 5935->5938 5936->5934 5937->5935 5939 6ab1d0 5938->5939 5941 6ac160 9 API calls 5939->5941 5940->5933 5942 6ab1ee 5941->5942 5943 6ab232 5942->5943 5944 6ab20d 5942->5944 5946 6a2aa0 4 API calls 5942->5946 5945 6ab248 5943->5945 5947 6a2aa0 4 API calls 5943->5947 5950 6a29d0 memmove 5944->5950 5948 6a4c10 16 API calls 5945->5948 5946->5944 5947->5945 5949 6ab262 5948->5949 5951 6ac160 9 API calls 5949->5951 5950->5943 5952 6ab280 5951->5952 5953 6ab2c4 5952->5953 5954 6ab29f 5952->5954 5956 6a2aa0 4 API calls 5952->5956 5955 6ab2da 5953->5955 5957 6a2aa0 4 API calls 5953->5957 5960 6a29d0 memmove 5954->5960 5958 6a4c10 16 API calls 5955->5958 5956->5954 5957->5955 5959 6ab2f4 5958->5959 5961 6ac160 9 API calls 5959->5961 5960->5953 5962 6ab312 5961->5962 5963 6ab356 5962->5963 5964 6ab331 5962->5964 5966 6a2aa0 4 API calls 5962->5966 5965 6ab36c 5963->5965 5967 6a2aa0 4 API calls 5963->5967 5970 6a29d0 memmove 5964->5970 5968 6a4c10 16 API calls 5965->5968 5966->5964 5967->5965 5969 6ab386 5968->5969 5971 6ac160 9 API calls 5969->5971 5970->5963 5972 6ab3a4 5971->5972 5973 6ab3e8 5972->5973 5974 6ab3c3 5972->5974 5976 6a2aa0 4 API calls 5972->5976 5975 6ab3fe 5973->5975 5977 6a2aa0 4 API calls 5973->5977 5980 6a29d0 memmove 5974->5980 5978 6a4ad0 19 API calls 5975->5978 5976->5974 5977->5975 5979 6ab418 5978->5979 5981 6ac160 9 API calls 5979->5981 5980->5973 5982 6ab436 5981->5982 5983 6ab47a 5982->5983 5984 6ab455 5982->5984 5986 6a2aa0 4 API calls 5982->5986 5985 6ab490 5983->5985 5987 6a2aa0 4 API calls 5983->5987 5990 6a29d0 memmove 5984->5990 5988 6ac160 9 API calls 5985->5988 5986->5984 5987->5985 5989 6ab4af 5988->5989 5991 6a28b0 16 API calls 5989->5991 5990->5983 5992 6ab4c6 5991->5992 5993 6ac160 9 API calls 5992->5993 5994 6ab4e5 5993->5994 5995 6a28b0 16 API calls 5994->5995 5996 6ab4fc 5995->5996 5997 6ac160 9 API calls 5996->5997 5998 6ab51b 5997->5998 5999 6a28b0 16 API calls 5998->5999 6000 6ab532 5999->6000 6001 6ac160 9 API calls 6000->6001 6002 6ab551 6001->6002 6003 6a28b0 16 API calls 6002->6003 6004 6ab568 6003->6004 6005 6ac160 9 API calls 6004->6005 6006 6ab587 6005->6006 6007 6a28b0 16 API calls 6006->6007 6008 6ab59e 6007->6008 6009 6ac160 9 API calls 6008->6009 6010 6ab5bd 6009->6010 6011 6a28b0 16 API calls 6010->6011 6012 6ab5d4 6011->6012 6013 6ac160 9 API calls 6012->6013 6014 6ab5f3 6013->6014 6015 6a27b0 18 API calls 6014->6015 6016 6ab608 6015->6016 6017 6ac160 9 API calls 6016->6017 6018 6ab627 6017->6018 6019 6a27b0 18 API calls 6018->6019 6020 6ab63c 6019->6020 6021 6ab64e 6020->6021 6023 6a2aa0 4 API calls 6020->6023 6022 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6021->6022 6024 6a2eb6 6022->6024 6023->6021 6025 6aa800 6024->6025 6026 6aa81f 6025->6026 6027 6aa86f 6026->6027 6028 6aa843 6026->6028 6029 6ac160 9 API calls 6027->6029 6030 6a27b0 18 API calls 6028->6030 6031 6aa87c 6029->6031 6032 6aa865 6030->6032 6033 6a28b0 16 API calls 6031->6033 6032->5774 6034 6aa8a2 6033->6034 6034->5774 6036 6a545f MultiByteToWideChar 6035->6036 6037 6a543d 6035->6037 6415 6a5700 6036->6415 6038 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6037->6038 6039 6a545b 6038->6039 6039->5776 6046 6a5504 6048 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6046->6048 6047 6a2a40 5 API calls 6047->6046 6049 6a5513 6048->6049 6049->5776 6051 6ad236 IsProcessorFeaturePresent 6050->6051 6052 6ad234 6050->6052 6054 6ad780 6051->6054 6052->5790 6426 6ad744 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6054->6426 6056 6ad863 6056->5790 6058 6a2aaf 6057->6058 6066 6a2ade 6057->6066 6059 6a2ab9 6058->6059 6060 6a2ab3 _invalid_parameter_noinfo_noreturn 6058->6060 6061 6a2ac0 _invalid_parameter_noinfo_noreturn 6059->6061 6062 6a2ac6 6059->6062 6060->6059 6061->6062 6063 6a2acd _invalid_parameter_noinfo_noreturn 6062->6063 6064 6a2ad3 6062->6064 6063->6064 6065 6a2ad8 _invalid_parameter_noinfo_noreturn 6064->6065 6064->6066 6065->6066 6066->5777 6068 6a2a50 _invalid_parameter_noinfo_noreturn 6067->6068 6069 6a2a56 6067->6069 6068->6069 6070 6a2a6a 6069->6070 6071 6a2a64 _invalid_parameter_noinfo_noreturn 6069->6071 6077 6a2a8f 6069->6077 6072 6a2a71 _invalid_parameter_noinfo_noreturn 6070->6072 6073 6a2a77 6070->6073 6071->6070 6072->6073 6074 6a2a7e _invalid_parameter_noinfo_noreturn 6073->6074 6075 6a2a84 6073->6075 6074->6075 6076 6a2a89 _invalid_parameter_noinfo_noreturn 6075->6076 6075->6077 6076->6077 6077->5782 6079 6aa54f 6078->6079 6082 6aa556 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 6078->6082 6427 6ac920 6079->6427 6081 6aa578 6084 6aa5a5 6081->6084 6085 6a2aa0 4 API calls 6081->6085 6082->6081 6083 6a2aa0 4 API calls 6082->6083 6083->6081 6086 6aa5d2 6084->6086 6087 6a2aa0 4 API calls 6084->6087 6085->6084 6088 6aa5ff 6086->6088 6089 6a2aa0 4 API calls 6086->6089 6087->6086 6090 6aa62c 6088->6090 6091 6a2a40 5 API calls 6088->6091 6089->6088 6433 6abc40 6090->6433 6091->6090 6093 6aa657 6093->5788 6095 6ad23c new 4 API calls 6094->6095 6096 6a89f7 GetCurrentProcess IsWow64Process 6095->6096 6096->5803 6098 6a41e6 6097->6098 6102 6a419e 6097->6102 6099 6a41fd 6098->6099 6100 6a41f2 ?_Xlength_error@std@@YAXPBD 6098->6100 6103 6a420d 6099->6103 6190 6a48d0 6099->6190 6100->6099 6102->6098 6104 6a41c5 6102->6104 6105 6a421f 6103->6105 6106 6a424c memmove 6103->6106 6107 6a4290 18 API calls 6104->6107 6105->5805 6106->6105 6108 6a41e0 6107->6108 6108->5805 6110 6a44b0 6109->6110 6111 6a44a5 ?_Xout_of_range@std@@YAXPBD 6109->6111 6112 6a44c8 ?_Xlength_error@std@@YAXPBD 6110->6112 6113 6a44d3 6110->6113 6111->6110 6112->6113 6117 6a4519 6113->6117 6205 6a4760 6113->6205 6115 6a44e3 6116 6a44ff memmove 6115->6116 6115->6117 6116->6117 6118 6a43b0 6117->6118 6119 6a4406 6118->6119 6123 6a43be 6118->6123 6120 6a4418 ?_Xlength_error@std@@YAXPBD 6119->6120 6121 6a4423 6119->6121 6120->6121 6122 6a4760 13 API calls 6121->6122 6126 6a445b 6121->6126 6124 6a4433 6122->6124 6123->6119 6125 6a43e5 6123->6125 6124->6126 6127 6a4447 memmove 6124->6127 6128 6a4490 16 API calls 6125->6128 6126->5811 6127->6126 6129 6a4400 6128->6129 6129->5811 6131 6ad260 malloc 6130->6131 6132 6aa2de 6131->6132 6133 6ad241 _callnewh 6131->6133 6132->5814 6133->6131 6136 6ad24e 6133->6136 6136->6131 6211 6adb60 6136->6211 6214 6adb43 6136->6214 6138 6a42b0 6137->6138 6139 6a42a5 ?_Xout_of_range@std@@YAXPBD 6137->6139 6140 6a42f8 6138->6140 6141 6a42be 6138->6141 6139->6138 6143 6a430b 6140->6143 6144 6a4300 ?_Xlength_error@std@@YAXPBD 6140->6144 6142 6a42c6 ?_Xout_of_range@std@@YAXPBD 6141->6142 6146 6a42d1 6141->6146 6142->6146 6145 6a48d0 12 API calls 6143->6145 6149 6a431b 6143->6149 6144->6143 6145->6149 6219 6a47b0 6146->6219 6150 6a4365 memmove 6149->6150 6151 6a4338 6149->6151 6150->6151 6151->5817 6153 6ac864 6152->6153 6154 6a4290 18 API calls 6153->6154 6155 6ac87b 6154->6155 6156 6a4290 18 API calls 6155->6156 6157 6ac8ad 6156->6157 6224 6ad030 6157->6224 6160 6ac8dd 6162 6aa359 6160->6162 6163 6a2a40 5 API calls 6160->6163 6161 6a2a40 5 API calls 6161->6160 6164 6aa9b0 GetWindowsDirectoryA 6162->6164 6163->6162 6165 6aaa2d 6164->6165 6227 6a27b0 6165->6227 6167 6aaa68 6243 6a4550 6167->6243 6169 6aaa96 6170 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6169->6170 6171 6aa36c 6170->6171 6171->5822 6171->5823 6171->5826 6173 6aa92a 6172->6173 6174 6a27b0 18 API calls 6173->6174 6175 6aa968 6174->6175 6176 6a4550 17 API calls 6175->6176 6177 6aa987 6176->6177 6178 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6177->6178 6179 6aa3d1 6178->6179 6179->5829 6179->5831 6179->5833 6181 6aab13 6180->6181 6181->6181 6182 6a27b0 18 API calls 6181->6182 6183 6aab38 6182->6183 6184 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 6183->6184 6185 6aa431 6184->6185 6185->5837 6185->5839 6185->5841 6187 6a29e0 6186->6187 6189 6a29f6 6186->6189 6188 6a29e8 memmove 6187->6188 6187->6189 6188->6189 6189->5822 6191 6a4910 6190->6191 6192 6a495a 6191->6192 6193 6a4954 ?_Xbad_alloc@std@ 6191->6193 6200 6a4949 6191->6200 6194 6a4963 6192->6194 6195 6a4984 6192->6195 6193->6192 6197 6a496a ?_Xbad_alloc@std@ 6194->6197 6198 6a4970 6194->6198 6199 6ad23c new 4 API calls 6195->6199 6196 6a49db 6201 6a2a40 5 API calls 6196->6201 6204 6a49ec 6196->6204 6197->6198 6202 6ad23c new 4 API calls 6198->6202 6199->6200 6200->6196 6203 6a49ce memmove 6200->6203 6201->6204 6202->6200 6203->6196 6204->6103 6206 6a477a 6205->6206 6207 6a476f ?_Xlength_error@std@@YAXPBD 6205->6207 6208 6a48d0 12 API calls 6206->6208 6210 6a4792 6206->6210 6207->6206 6209 6a4788 6208->6209 6209->6115 6210->6115 6217 6adaed 6211->6217 6213 6adb6e _CxxThrowException 6218 6adaba 6214->6218 6216 6adb51 _CxxThrowException 6217->6213 6218->6216 6220 6a47c1 ?_Xout_of_range@std@@YAXPBD 6219->6220 6221 6a47cc 6219->6221 6220->6221 6222 6a481a memmove 6221->6222 6223 6a42ef 6221->6223 6222->6223 6223->5817 6225 6ad23c new 4 API calls 6224->6225 6226 6ac8c9 6225->6226 6226->6160 6226->6161 6228 6a2815 6227->6228 6232 6a27be 6227->6232 6229 6a2829 6228->6229 6230 6a281e ?_Xlength_error@std@@YAXPBD 6228->6230 6233 6a2839 6229->6233 6280 6a2c40 6229->6280 6230->6229 6232->6228 6234 6a27e4 6232->6234 6235 6a284b 6233->6235 6236 6a2874 memmove 6233->6236 6237 6a27e9 6234->6237 6238 6a27ff 6234->6238 6235->6167 6236->6235 6261 6a28b0 6237->6261 6240 6a28b0 16 API calls 6238->6240 6242 6a280f 6240->6242 6241 6a27f9 6241->6167 6242->6167 6244 6a45b5 6243->6244 6249 6a455e 6243->6249 6245 6a45ce 6244->6245 6246 6a45c3 ?_Xlength_error@std@@YAXPBD 6244->6246 6247 6a45ea 6245->6247 6248 6a45df ?_Xlength_error@std@@YAXPBD 6245->6248 6250 6a460d 6245->6250 6246->6245 6251 6a2c40 10 API calls 6247->6251 6253 6a45f8 6247->6253 6248->6247 6249->6244 6252 6a4584 6249->6252 6250->6169 6251->6253 6254 6a4589 6252->6254 6255 6a459f 6252->6255 6253->6250 6258 6a4636 memmove 6253->6258 6298 6a4670 6254->6298 6257 6a4670 14 API calls 6255->6257 6260 6a45af 6257->6260 6258->6250 6260->6169 6262 6a28d0 6261->6262 6263 6a28c5 ?_Xout_of_range@std@@YAXPBD 6261->6263 6264 6a28de 6262->6264 6265 6a292c 6262->6265 6263->6262 6268 6a28f1 6264->6268 6269 6a28e6 ?_Xout_of_range@std@@YAXPBD 6264->6269 6266 6a293c 6265->6266 6267 6a2931 ?_Xlength_error@std@@YAXPBD 6265->6267 6272 6a2c40 10 API calls 6266->6272 6277 6a294c 6266->6277 6267->6266 6270 6a28fa 6268->6270 6271 6a2913 6268->6271 6269->6268 6293 6a2ba0 6270->6293 6274 6a2ba0 2 API calls 6271->6274 6272->6277 6276 6a2923 6274->6276 6276->6241 6278 6a2992 memmove 6277->6278 6279 6a2969 6277->6279 6278->6279 6279->6241 6281 6a2c7d 6280->6281 6282 6a2ce2 6281->6282 6283 6a2cc1 6281->6283 6289 6a2cb6 6281->6289 6286 6ad23c new 4 API calls 6282->6286 6284 6a2cc8 ?_Xbad_alloc@std@ 6283->6284 6285 6a2cce 6283->6285 6284->6285 6288 6ad23c new 4 API calls 6285->6288 6286->6289 6287 6a2d37 6290 6a2aa0 4 API calls 6287->6290 6292 6a2d48 6287->6292 6288->6289 6289->6287 6291 6a2d2c memmove 6289->6291 6290->6292 6291->6287 6292->6233 6294 6a2bb1 ?_Xout_of_range@std@@YAXPBD 6293->6294 6295 6a2bbc 6293->6295 6294->6295 6296 6a2c06 memmove 6295->6296 6297 6a290a 6295->6297 6296->6297 6297->6241 6299 6a4690 6298->6299 6300 6a4685 ?_Xout_of_range@std@@YAXPBD 6298->6300 6301 6a46a8 ?_Xlength_error@std@@YAXPBD 6299->6301 6302 6a46b3 6299->6302 6300->6299 6301->6302 6303 6a46ce 6302->6303 6304 6a46c3 ?_Xlength_error@std@@YAXPBD 6302->6304 6307 6a4599 6302->6307 6305 6a46dc 6303->6305 6306 6a2c40 10 API calls 6303->6306 6304->6303 6305->6307 6308 6a4722 memmove 6305->6308 6306->6305 6307->6169 6308->6307 6310 6a4b2b 6309->6310 6316 6a4b78 6310->6316 6343 6a2af0 6310->6343 6311 6a4670 14 API calls 6313 6a4b9d 6311->6313 6314 6a4550 17 API calls 6313->6314 6315 6a4bc2 6314->6315 6317 6a4be0 6315->6317 6316->6311 6318 6a4670 14 API calls 6317->6318 6319 6a4c01 6318->6319 6354 6a26b0 6319->6354 6322 6a98d0 6323 6a98ed 6322->6323 6323->6323 6324 6a4550 17 API calls 6323->6324 6325 6a9908 6324->6325 6326 6a26b0 memmove 6325->6326 6327 6a9910 6326->6327 6327->5863 6327->5864 6329 6ac177 6328->6329 6330 6ac1a0 6329->6330 6358 6ac1f0 6329->6358 6330->5876 6334 6ac1d0 6334->5876 6336 6a4c68 6335->6336 6337 6a4c9e 6336->6337 6340 6a2af0 12 API calls 6336->6340 6338 6a4670 14 API calls 6337->6338 6339 6a4cc1 6338->6339 6341 6a4670 14 API calls 6339->6341 6340->6337 6342 6a4ccf 6341->6342 6342->5891 6344 6a2b0a 6343->6344 6345 6a2aff ?_Xlength_error@std@@YAXPBD 6343->6345 6346 6a2b11 6344->6346 6350 6a2b25 6344->6350 6345->6344 6347 6a2c40 10 API calls 6346->6347 6349 6a2b1a 6347->6349 6348 6a2b5f 6348->6316 6349->6316 6350->6348 6351 6a2b52 6350->6351 6352 6a2b47 memmove 6350->6352 6353 6a2aa0 4 API calls 6351->6353 6352->6351 6353->6348 6355 6a26d1 6354->6355 6357 6a26e7 6354->6357 6356 6a26d9 memmove 6355->6356 6355->6357 6356->6357 6357->6322 6394 6ac440 6358->6394 6361 6ac230 6362 6ac26a 6361->6362 6363 6ac291 6361->6363 6397 6ac4d0 6362->6397 6364 6ac29d 6363->6364 6365 6ac2d0 6363->6365 6367 6ac2a8 6364->6367 6368 6ac406 6364->6368 6369 6ac2d4 6365->6369 6378 6ac30a 6365->6378 6371 6ac4d0 5 API calls 6367->6371 6403 6ac710 6368->6403 6369->6368 6373 6ac2e2 6369->6373 6374 6ac2ba 6371->6374 6376 6ac4d0 5 API calls 6373->6376 6374->6334 6375 6ac41f 6375->6334 6377 6ac2f4 6376->6377 6377->6334 6379 6ac37f 6378->6379 6380 6ac32c 6378->6380 6379->6368 6381 6ac3a2 6379->6381 6382 6ac33b 6380->6382 6383 6ac35d 6380->6383 6386 6ac3d3 6381->6386 6387 6ac3b1 6381->6387 6384 6ac4d0 5 API calls 6382->6384 6385 6ac4d0 5 API calls 6383->6385 6389 6ac347 6384->6389 6390 6ac369 6385->6390 6388 6ac4d0 5 API calls 6386->6388 6391 6ac4d0 5 API calls 6387->6391 6392 6ac3df 6388->6392 6389->6334 6390->6334 6393 6ac3bd 6391->6393 6392->6334 6393->6334 6395 6ad23c new 4 API calls 6394->6395 6396 6ac1bf 6395->6396 6396->6361 6398 6ac4e2 6397->6398 6402 6ac27b 6397->6402 6399 6ac4f9 6398->6399 6400 6a2aa0 4 API calls 6398->6400 6401 6ac518 ?_Xlength_error@std@@YAXPBD 6399->6401 6400->6399 6401->6402 6402->6334 6408 6ac757 6403->6408 6404 6ac7ee 6411 6ac480 6404->6411 6405 6ac78c 6407 6ac4d0 5 API calls 6405->6407 6410 6ac79c 6407->6410 6408->6404 6408->6405 6409 6ac7f3 6409->6375 6410->6375 6412 6ac493 6411->6412 6414 6ac49c 6411->6414 6413 6a2aa0 4 API calls 6412->6413 6413->6414 6414->6409 6416 6a571a 6415->6416 6417 6a570f ?_Xlength_error@std@@YAXPBD 6415->6417 6418 6a572d 6416->6418 6419 6a5722 ?_Xlength_error@std@@YAXPBD 6416->6419 6417->6416 6420 6a48d0 12 API calls 6418->6420 6421 6a54a4 MultiByteToWideChar 6418->6421 6419->6418 6420->6421 6422 6a5850 6421->6422 6423 6a5860 6422->6423 6425 6a54f0 6422->6425 6424 6a5868 memmove 6423->6424 6423->6425 6424->6425 6425->6046 6425->6047 6426->6056 6428 6ac957 6427->6428 6429 6aca23 6428->6429 6430 6a2a40 5 API calls 6428->6430 6431 6aca50 6429->6431 6432 6a2a40 5 API calls 6429->6432 6430->6429 6431->6082 6432->6431 6434 6abc73 6433->6434 6439 6abcb7 6433->6439 6435 6abc77 6434->6435 6434->6439 6441 6a8a20 6435->6441 6436 6abcdc 6436->6093 6439->6436 6446 6abd50 6439->6446 6442 6a8a8d 6441->6442 6445 6a8a36 6441->6445 6442->6093 6443 6a8a20 4 API calls 6443->6445 6444 6a2aa0 4 API calls 6444->6445 6445->6442 6445->6443 6445->6444 6449 6abd69 6446->6449 6447 6a2aa0 4 API calls 6448 6abfee 6447->6448 6448->6439 6449->6447 6449->6448 7130 6a1bc0 7188 6aa770 7130->7188 7133 6ad23c new 4 API calls 7134 6a1c0a 7133->7134 7197 6a3200 7134->7197 7137 6a1c81 7141 6a1b30 117 API calls 7137->7141 7138 6ad23c new 4 API calls 7139 6a1c5b 7138->7139 7140 6a4d80 5 API calls 7139->7140 7140->7137 7142 6a1ca1 memset 7141->7142 7143 6aa140 58 API calls 7142->7143 7144 6a1cc6 7143->7144 7145 6aacc0 35 API calls 7144->7145 7146 6a1cd5 7145->7146 7147 6aa800 19 API calls 7146->7147 7148 6a1ce9 7147->7148 7149 6a5410 22 API calls 7148->7149 7150 6a1cfa 7149->7150 7151 6a1d16 wcscpy_s RegisterServiceCtrlHandlerW 7150->7151 7152 6a2aa0 4 API calls 7150->7152 7153 6a1e08 SetServiceStatus 7151->7153 7171 6a1d77 7151->7171 7152->7151 7154 6a1e78 GetLastError 7153->7154 7155 6a1e8d CreateEventW 7153->7155 7157 6a1aa0 5 API calls 7154->7157 7159 6a1ef3 SetServiceStatus 7155->7159 7160 6a1ea4 GetLastError SetServiceStatus 7155->7160 7156 6a1d8f 7161 6aa540 9 API calls 7156->7161 7164 6a1e8a 7157->7164 7158 6a2a40 5 API calls 7158->7156 7162 6a1f2c GetLastError 7159->7162 7163 6a1f5d CreateThread 7159->7163 7165 6a1ed9 GetLastError 7160->7165 7160->7171 7166 6a1db7 7161->7166 7168 6a1aa0 5 API calls 7162->7168 7169 6a1f76 7163->7169 7170 6a1fa4 WaitForSingleObject FindCloseChangeNotification SetServiceStatus 7163->7170 7261 6a20f0 7163->7261 7164->7155 7167 6a1aa0 5 API calls 7165->7167 7174 6a1dea 7166->7174 7179 6a2aa0 4 API calls 7166->7179 7167->7171 7175 6a1f3e CloseHandle 7168->7175 7176 6a1aa0 5 API calls 7169->7176 7172 6a1ff2 GetLastError 7170->7172 7173 6a2004 7170->7173 7171->7156 7171->7158 7177 6a1aa0 5 API calls 7172->7177 7178 6a2630 5 API calls 7173->7178 7181 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7174->7181 7180 6a2630 5 API calls 7175->7180 7182 6a1f85 CloseHandle 7176->7182 7177->7173 7183 6a2012 7178->7183 7179->7174 7184 6a1f58 7180->7184 7185 6a1e02 7181->7185 7186 6a2630 5 API calls 7182->7186 7183->7183 7184->7163 7187 6a1f9f 7186->7187 7187->7170 7244 6aa670 7188->7244 7191 6a98d0 18 API calls 7192 6aa7c2 7191->7192 7193 6aa7d7 7192->7193 7194 6a2aa0 4 API calls 7192->7194 7195 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7193->7195 7194->7193 7196 6a1bfc 7195->7196 7196->7133 7198 6a3260 7197->7198 7198->7198 7199 6a27b0 18 API calls 7198->7199 7200 6a32e9 7199->7200 7201 6a27b0 18 API calls 7200->7201 7202 6a3316 7201->7202 7203 6a27b0 18 API calls 7202->7203 7204 6a3325 7203->7204 7205 6a3369 7204->7205 7206 6a333d GetFileAttributesA 7204->7206 7207 6a3389 7205->7207 7209 6a3381 GetFileAttributesA 7205->7209 7211 6a3345 7206->7211 7208 6a3504 7207->7208 7210 6a28b0 16 API calls 7207->7210 7212 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7208->7212 7209->7207 7214 6a33b6 7210->7214 7211->7205 7216 6a3355 _mkdir 7211->7216 7213 6a1c45 7212->7213 7213->7137 7213->7138 7215 6a33e4 7214->7215 7219 6a4550 17 API calls 7214->7219 7217 6a3ae0 25 API calls 7215->7217 7216->7205 7218 6a3363 _errno 7216->7218 7220 6a33ec 7217->7220 7218->7205 7219->7215 7221 6a4670 14 API calls 7220->7221 7222 6a33fd 7221->7222 7223 6a3413 GetFileAttributesA 7222->7223 7224 6a2aa0 4 API calls 7222->7224 7225 6a342a 7223->7225 7226 6a342e _mkdir 7223->7226 7224->7223 7225->7226 7227 6a344d 7225->7227 7226->7227 7228 6a3447 _errno 7226->7228 7229 6a4550 17 API calls 7227->7229 7228->7227 7230 6a345c 7229->7230 7231 6a4ad0 19 API calls 7230->7231 7232 6a346b 7231->7232 7233 6a4be0 15 API calls 7232->7233 7234 6a347d 7233->7234 7235 6a34bc 7234->7235 7237 6a3497 7234->7237 7240 6a2aa0 4 API calls 7234->7240 7236 6a34ce 7235->7236 7238 6a2aa0 4 API calls 7235->7238 7239 6a34f2 7236->7239 7241 6a2aa0 4 API calls 7236->7241 7242 6a29d0 memmove 7237->7242 7238->7236 7239->7208 7243 6a2aa0 4 API calls 7239->7243 7240->7237 7241->7239 7242->7235 7243->7208 7245 6aaac0 24 API calls 7244->7245 7246 6aa6ad 7245->7246 7247 6a98d0 18 API calls 7246->7247 7248 6aa6c3 7247->7248 7249 6a4be0 15 API calls 7248->7249 7250 6aa6d6 7249->7250 7251 6a98d0 18 API calls 7250->7251 7252 6aa6e8 7251->7252 7253 6aa6fd 7252->7253 7254 6a2aa0 4 API calls 7252->7254 7255 6aa721 7253->7255 7256 6a2aa0 4 API calls 7253->7256 7254->7253 7257 6aa745 7255->7257 7258 6a2aa0 4 API calls 7255->7258 7256->7255 7259 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7257->7259 7258->7257 7260 6aa75d 7259->7260 7260->7191 7262 6a1b30 117 API calls 7261->7262 7263 6a212f WaitForSingleObject 7262->7263 7264 6a2144 7263->7264 7268 6a2150 7263->7268 7269 6a2200 CreateEventW 7264->7269 7265 6a1b30 117 API calls 7267 6a216b 7265->7267 7268->7265 7270 6a22cf 7269->7270 7271 6a224d 7269->7271 7273 6a1b30 117 API calls 7270->7273 7272 6ad23c new 4 API calls 7271->7272 7275 6a2254 7272->7275 7274 6a22de 7273->7274 7274->7268 7276 6ad23c new 4 API calls 7275->7276 7277 6a2274 memset 7276->7277 7283 6a6010 7277->7283 7284 6ad23c new 4 API calls 7283->7284 7285 6a606f InitializeCriticalSection 7284->7285 7286 6ad23c new 4 API calls 7285->7286 7287 6a6091 InitializeConditionVariable 7286->7287 7288 6ad23c new 4 API calls 7287->7288 7289 6a60b3 7288->7289 7290 6ad23c new 4 API calls 7289->7290 7291 6a60e1 7290->7291 7292 6ad23c new 4 API calls 7291->7292 7293 6a610c 7292->7293 7294 6ad23c new 4 API calls 7293->7294 7295 6a2295 WaitForSingleObject CloseHandle 7294->7295 7296 6a22f3 7295->7296 7303 6a2320 7295->7303 7297 6a22fb 7296->7297 7298 6a1aa0 5 API calls 7297->7298 7299 6a230b _CxxThrowException 7298->7299 7300 6a2320 7299->7300 7301 6a235f std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 7300->7301 7307 6a6180 7300->7307 7301->7270 7304 6a2359 7303->7304 7305 6a235f std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 7303->7305 7306 6a6180 6 API calls 7304->7306 7305->7270 7306->7305 7310 6a61b0 7307->7310 7309 6a618b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 7309->7301 7311 6a61e7 7310->7311 7312 6a6204 7311->7312 7314 6a9a70 7311->7314 7312->7309 7315 6a9a90 FindCloseChangeNotification 7314->7315 7316 6a9a9e std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 7314->7316 7315->7316 7317 6ad22b __ehhandler$___std_fs_get_file_id@8 5 API calls 7316->7317 7318 6a9ad8 7317->7318 7318->7312 7872 6a21a5 7873 6a2150 7872->7873 7874 6a1b30 117 API calls 7873->7874 7875 6a216b 7874->7875

                                                                            Executed Functions

                                                                            Function 006A2E40 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.VCRUNTIME140(?,00000000,00000088,DD4A9CAB), ref: 006A2E94
                                                                              • Part of subcall function 006AA140: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 006AA23C
                                                                              • Part of subcall function 006AA140: IsWow64Process.KERNEL32(00000000,?,?,?,?), ref: 006AA243
                                                                            • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000100,?,0000000E,0000000E), ref: 006A2F14
                                                                            • StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 006A2F4E
                                                                            • GetLastError.KERNEL32 ref: 006A2F58
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AB3
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AC0
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2ACD
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AD8
                                                                              • Part of subcall function 006A2A40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A50
                                                                              • Part of subcall function 006A2A40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A64
                                                                              • Part of subcall function 006A2A40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A71
                                                                              • Part of subcall function 006A2A40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A7E
                                                                              • Part of subcall function 006A2A40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A89
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Process$CtrlCurrentDispatcherErrorLastServiceStartWow64memsetwcscpy_s
                                                                            • String ID:
                                                                            • API String ID: 2974385897-0
                                                                            • Opcode ID: 2baa2f4532972f0b741c6f7df44f70978ef3d42679b1d85a1380b0f8e9a1cd6a
                                                                            • Instruction ID: 4892238321049bdca4c992d76a11652992b3668ca43b6fa91d72194e2fddea0a
                                                                            • Opcode Fuzzy Hash: 2baa2f4532972f0b741c6f7df44f70978ef3d42679b1d85a1380b0f8e9a1cd6a
                                                                            • Instruction Fuzzy Hash: 4F418C70941119AFDB60EFA4DD59BDEB7B9EF09300F2041E9E409A2290EB349F84CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A1BC0 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 256registrysynchronizationthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • new.LIBCMT ref: 006A1C05
                                                                              • Part of subcall function 006AD23C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD263
                                                                              • Part of subcall function 006A3200: GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,000000FF,00000100,?,006AE5A3,DD4A9CAB), ref: 006A333E
                                                                              • Part of subcall function 006A3200: _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF), ref: 006A3356
                                                                              • Part of subcall function 006A3200: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF,?,006A1C45,?), ref: 006A3363
                                                                            • new.LIBCMT ref: 006A1C56
                                                                              • Part of subcall function 006AD23C: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD244
                                                                              • Part of subcall function 006A4D80: new.LIBCMT ref: 006A4DDD
                                                                              • Part of subcall function 006A4D80: InitializeCriticalSection.KERNEL32(00000004), ref: 006A4DF4
                                                                            • memset.VCRUNTIME140(?,00000000,00000088,ws_update_service,ServiceMain: service started), ref: 006A1CB3
                                                                            • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000064,?,?,0000000E,ServiceMain: service started), ref: 006A1D4F
                                                                            • RegisterServiceCtrlHandlerW.ADVAPI32(?,006A2060), ref: 006A1D64
                                                                            • SetServiceStatus.SECHOST(00000000,006B4768), ref: 006A1E6C
                                                                            • GetLastError.KERNEL32 ref: 006A1E78
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 006A1E95
                                                                            • GetLastError.KERNEL32 ref: 006A1EB3
                                                                            • SetServiceStatus.ADVAPI32(006B4768), ref: 006A1ECF
                                                                            • GetLastError.KERNEL32 ref: 006A1ED9
                                                                            • SetServiceStatus.ADVAPI32(006B4768), ref: 006A1F26
                                                                            • GetLastError.KERNEL32 ref: 006A1F2C
                                                                            • CloseHandle.KERNEL32 ref: 006A1F47
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000020F0,00000000,00000000,00000000), ref: 006A1F6C
                                                                            • CloseHandle.KERNEL32 ref: 006A1F8E
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006A1FA7
                                                                            • FindCloseChangeNotification.KERNELBASE ref: 006A1FB3
                                                                            • SetServiceStatus.ADVAPI32(006B4768), ref: 006A1FEC
                                                                            • GetLastError.KERNEL32 ref: 006A1FF2
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            Strings
                                                                            • ServiceMain: Can't create thread, xrefs: 006A1F76
                                                                            • ServiceMain: SetServiceStatus "stopped" returned error [%d], xrefs: 006A1EDC
                                                                            • ServiceMain: SetServiceStatus to "start pending" returned error [%d], xrefs: 006A1E7B
                                                                            • ServiceMain: SetServiceStatus to "stopped" returned error [%d], xrefs: 006A1FF5
                                                                            • ws_update_service, xrefs: 006A1C97, 006A1E80, 006A1EE1, 006A1F34, 006A1F7B, 006A1FFA
                                                                            • ServiceMain: SetServiceStatus to "running" returned error [%d], xrefs: 006A1F2F
                                                                            • ServiceMain: service started, xrefs: 006A1C92
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastService$Status$Close$CreateHandle$AttributesChangeCriticalCtrlEventFileFindHandlerInitializeNotificationObjectRegisterSectionSingleThreadWait_callnewh_errno_mkdirmallocmemsetwcscpy_s
                                                                            • String ID: ServiceMain: Can't create thread$ServiceMain: SetServiceStatus "stopped" returned error [%d]$ServiceMain: SetServiceStatus to "running" returned error [%d]$ServiceMain: SetServiceStatus to "start pending" returned error [%d]$ServiceMain: SetServiceStatus to "stopped" returned error [%d]$ServiceMain: service started$ws_update_service
                                                                            • API String ID: 138789579-4288471160
                                                                            • Opcode ID: cc4110207d4262d14f64a17312d1de8034882adbec3c662c628203102463a1a5
                                                                            • Instruction ID: 1f65b16308341eb4cf80581723d187228d895e179e85a495c59705368018020b
                                                                            • Opcode Fuzzy Hash: cc4110207d4262d14f64a17312d1de8034882adbec3c662c628203102463a1a5
                                                                            • Instruction Fuzzy Hash: 8BB1BEB0A403159FEB60FF64DD15BAA7BB7EB53304F1012A8E509A6292DFB05E84CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A3530 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 386fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 69 6a3530-6a3580 call 6ae0a0 72 6a3586-6a358a 69->72 73 6a358c-6a358e 72->73 74 6a35a6-6a35a8 72->74 75 6a35a2-6a35a4 73->75 76 6a3590-6a3596 73->76 77 6a35ab-6a35ad 74->77 75->77 76->74 80 6a3598-6a35a0 76->80 78 6a35b3-6a35ba 77->78 79 6a3ab4-6a3acf call 6ad22b 77->79 81 6a35c0-6a35c4 78->81 80->72 80->75 84 6a35e0-6a35e2 81->84 85 6a35c6-6a35c8 81->85 88 6a35e5-6a35e7 84->88 86 6a35ca-6a35d0 85->86 87 6a35dc-6a35de 85->87 86->84 89 6a35d2-6a35da 86->89 87->88 88->79 90 6a35ed-6a35f1 88->90 89->81 89->87 90->79 91 6a35f7-6a35fe 90->91 92 6a3600-6a3602 91->92 93 6a3604 91->93 94 6a3606-6a361b _stat64i32 92->94 93->94 95 6a37ee-6a37f2 94->95 96 6a3621-6a362b 94->96 97 6a37f8 95->97 98 6a37f4-6a37f6 95->98 96->95 99 6a3631-6a366e call 6a28b0 96->99 100 6a37fa-6a3809 _stat64i32 97->100 98->100 105 6a369b-6a36e7 call 6a3ae0 call 6a4670 call 6a2670 GetFileAttributesA 99->105 106 6a3670-6a3689 99->106 103 6a380f-6a3816 100->103 104 6a3952-6a3956 100->104 109 6a3818-6a381c 103->109 110 6a382d-6a3831 103->110 107 6a395a-6a396d fopen 104->107 108 6a3958 104->108 139 6a36e9-6a36eb 105->139 140 6a36ed-6a3701 call 6a98a0 105->140 106->105 113 6a368b-6a3696 call 6a40a0 106->113 107->79 116 6a3973-6a3a11 GetModuleFileNameW _wsplitpath_s wcscat_s call 6a4040 call 6a5310 call 6a7c40 107->116 108->107 111 6a381e-6a3820 109->111 112 6a3822 109->112 110->104 115 6a3837-6a384e call 6a4160 110->115 117 6a3824-6a382b call 6a9880 111->117 112->117 113->105 128 6a3850-6a386f 115->128 129 6a3881-6a38ca call 6a3ae0 call 6a4670 call 6a2670 call 6a9880 115->129 144 6a3a13 116->144 145 6a3a15-6a3a19 116->145 117->110 117->115 128->129 132 6a3871-6a387c call 6a40a0 128->132 164 6a38cc-6a38e0 call 6a98a0 129->164 165 6a38e5-6a3935 call 6a40a0 call 6a4c10 call 6a4be0 call 6a40e0 call 6a2670 129->165 132->129 139->140 146 6a3706-6a371a call 6a40a0 139->146 140->146 144->145 149 6a3a1b 145->149 150 6a3a1d-6a3a8a GetCurrentProcessId call 6a3090 call 6a2670 * 2 call 6a2630 145->150 155 6a371c-6a371e 146->155 156 6a3720 146->156 149->150 188 6a3a90-6a3a95 150->188 159 6a3722-6a3735 fopen 155->159 156->159 162 6a379c-6a37e9 call 6a3b70 call 6a4c10 call 6a4be0 call 6a40e0 call 6a2670 159->162 163 6a3737-6a3746 call 6a7c40 159->163 204 6a393b-6a394d call 6a2670 * 2 162->204 177 6a374a-6a3775 call 6a3090 call 6a2670 163->177 178 6a3748 163->178 164->165 165->204 197 6a3778-6a377d 177->197 178->177 188->188 192 6a3a97-6a3ab1 fwrite fclose 188->192 192->79 197->197 201 6a377f-6a3799 fwrite fclose 197->201 201->162 204->104
                                                                            APIs
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,DD4A9CAB,?,?,?,?,006AE628,000000FF), ref: 006A3614
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,000000FF), ref: 006A36DE
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,006B0880,006B036C), ref: 006A3728
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000), ref: 006A378C
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006A3793
                                                                            • _stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,000000FF), ref: 006A3802
                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,006B0880,?,?,?,?,?,000000FF), ref: 006A3960
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006A3981
                                                                            • _wsplitpath_s.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,00000000,00000000,00000000,?,00000104,?,00000100), ref: 006A39AE
                                                                            • wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000105,?), ref: 006A39C7
                                                                            • GetCurrentProcessId.KERNEL32(DEBUG,?), ref: 006A3A3E
                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00000000,?,?,?,?,?,?,?,?,?), ref: 006A3AA4
                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 006A3AAB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: File_stat64i32fclosefopenfwrite$AttributesCurrentModuleNameProcess_wsplitpath_swcscat_s
                                                                            • String ID: %s Continue on next file -->$%s %s [%d] <%s> [%s]: %s$DEBUG$ERROR$windows_hook_helper$windows_hook_manager
                                                                            • API String ID: 3352214153-4226532283
                                                                            • Opcode ID: 49b5fb01723fecc6a9d78df871bf1f52e57bdbb7297fd700cb36f4ed052770f8
                                                                            • Instruction ID: 3ddf64cd3f89a44ee4b21c76bf663f8e312a45e6afca82d7f55ee17158804364
                                                                            • Opcode Fuzzy Hash: 49b5fb01723fecc6a9d78df871bf1f52e57bdbb7297fd700cb36f4ed052770f8
                                                                            • Instruction Fuzzy Hash: 06F192709042289BDF64EF54DC95BEAB7BAAF16300F4401DAF50A67282DB719F84CF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4b,DD4A9CAB,?,?,?,006AE456,000000FF), ref: 006A223D
                                                                            • new.LIBCMT ref: 006A224F
                                                                              • Part of subcall function 006AD23C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD263
                                                                            • new.LIBCMT ref: 006A226F
                                                                              • Part of subcall function 006AD23C: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD244
                                                                            • memset.VCRUNTIME140(00000000,00000000,00000038,?,?,006AE456,000000FF), ref: 006A2285
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A606A
                                                                              • Part of subcall function 006A6010: InitializeCriticalSection.KERNEL32(00000004), ref: 006A6081
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A608C
                                                                              • Part of subcall function 006A6010: InitializeConditionVariable.KERNEL32(00000004), ref: 006A60A3
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A60AE
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A60DC
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A6107
                                                                              • Part of subcall function 006A6010: new.LIBCMT ref: 006A6135
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000038,?,?,006AE456,000000FF), ref: 006A22B9
                                                                            • CloseHandle.KERNEL32(00000000,?,00000038,?,?,006AE456,000000FF), ref: 006A22C0
                                                                            Strings
                                                                            • Exit update service, xrefs: 006A22CF
                                                                            • ws_update_service, xrefs: 006A22D4
                                                                            • Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4b, xrefs: 006A222B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize$CloseConditionCreateCriticalEventHandleObjectSectionSingleVariableWait_callnewhmallocmemset
                                                                            • String ID: Exit update service$Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4b$ws_update_service
                                                                            • API String ID: 2975680148-3142918566
                                                                            • Opcode ID: 8bc2c88faf0e97585bb64049316fd43eb929020d8e7117a20e52132fd632d206
                                                                            • Instruction ID: 774084dc9a413cb9f2d9ed14b1302b2553df7ed251f5e69c6800134cd4991bd9
                                                                            • Opcode Fuzzy Hash: 8bc2c88faf0e97585bb64049316fd43eb929020d8e7117a20e52132fd632d206
                                                                            • Instruction Fuzzy Hash: 6821B471A40344ABE710ABA4CC46B9EBFE5EF86B10F10426DF5059B3C1DBB15D448BA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A3200 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 265COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 223 6a3200-6a325e 224 6a3260-6a3262 223->224 225 6a3264 223->225 226 6a3266-6a327e 224->226 225->226 227 6a3280-6a3282 226->227 228 6a3284 226->228 229 6a3286-6a329e 227->229 228->229 230 6a32a2-6a32ba 229->230 231 6a32a0 229->231 232 6a32be-6a32c8 230->232 233 6a32bc 230->233 231->230 234 6a32ca-6a32cc 232->234 235 6a32ce-6a32d3 232->235 233->232 236 6a32e0-6a32ef call 6a27b0 234->236 237 6a32d6-6a32db 235->237 241 6a32f1-6a32f3 236->241 242 6a32f5-6a32fa 236->242 237->237 238 6a32dd 237->238 238->236 243 6a330c-6a332f call 6a27b0 * 2 241->243 244 6a3300-6a3305 242->244 250 6a336f-6a3373 243->250 251 6a3331-6a3335 243->251 244->244 245 6a3307-6a330a 244->245 245->243 254 6a338d-6a3391 250->254 255 6a3375-6a3379 250->255 252 6a333b 251->252 253 6a3337-6a3339 251->253 258 6a333d-6a3343 GetFileAttributesA 252->258 253->258 259 6a3397-6a33be call 6a28b0 254->259 260 6a3504-6a3521 call 6ad22b 254->260 256 6a337b-6a337d 255->256 257 6a337f 255->257 261 6a3381-6a3387 GetFileAttributesA 256->261 257->261 263 6a3349-6a334d 258->263 264 6a3345-6a3347 258->264 272 6a33c0-6a33d3 259->272 273 6a33e4-6a3407 call 6a3ae0 call 6a4670 259->273 261->254 267 6a3389-6a338b 261->267 270 6a334f-6a3351 263->270 271 6a3353 263->271 264->263 269 6a3369 264->269 267->254 267->259 269->250 274 6a3355-6a3361 _mkdir 270->274 271->274 272->273 275 6a33d5-6a33df call 6a4550 272->275 282 6a3409-6a340e call 6a2aa0 273->282 283 6a3413-6a3428 GetFileAttributesA 273->283 274->269 277 6a3363 _errno 274->277 275->273 277->269 282->283 285 6a342a-6a342c 283->285 286 6a342e-6a3445 _mkdir 283->286 285->286 287 6a344d-6a3484 call 6a4550 call 6a4ad0 call 6a4be0 285->287 286->287 288 6a3447 _errno 286->288 295 6a34bc-6a34c2 287->295 296 6a3486-6a348c 287->296 288->287 297 6a34ce-6a34e6 295->297 298 6a34c4-6a34c9 call 6a2aa0 295->298 299 6a348e-6a3492 call 6a2aa0 296->299 300 6a3497-6a34a9 296->300 304 6a34e8-6a34ed call 6a2aa0 297->304 305 6a34f2-6a34f8 297->305 298->297 299->300 301 6a34ab-6a34ad 300->301 302 6a34af 300->302 307 6a34b1-6a34b7 call 6a29d0 301->307 302->307 304->305 305->260 309 6a34fa-6a34ff call 6a2aa0 305->309 307->295 309->260
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,000000FF,00000100,?,006AE5A3,DD4A9CAB), ref: 006A333E
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF), ref: 006A3356
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF,?,006A1C45,?), ref: 006A3363
                                                                            • GetFileAttributesA.KERNELBASE(0000001C,.txt,00000004,000000FF,00000100,?,006AE5A3,DD4A9CAB), ref: 006A3382
                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,000000FF,0000001C,00000000,000000FF,.txt,00000004,000000FF,00000100,?,006AE5A3,DD4A9CAB), ref: 006A341F
                                                                            • _mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF), ref: 006A343A
                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,006AE5A3,000000FF), ref: 006A3447
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AB3
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AC0
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2ACD
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AD8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$AttributesFile$_errno_mkdir
                                                                            • String ID: .txt
                                                                            • API String ID: 231429698-2195685702
                                                                            • Opcode ID: 6ab3bef86531c2a6254831af3f706f2cbb20799a112ce008a503299e29521ccc
                                                                            • Instruction ID: ebc2227fba2ca815ce1624c2fc0aedb29681500ea2af47faf077032bea9b469e
                                                                            • Opcode Fuzzy Hash: 6ab3bef86531c2a6254831af3f706f2cbb20799a112ce008a503299e29521ccc
                                                                            • Instruction Fuzzy Hash: 6BA18C70904254DFEF14EF68C844BAEBBB6EF06310F540559E452AB392CB71AE85CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006AA140 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 309COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 312 6aa140-6aa1a9 call 6a89f0 315 6aa1ab 312->315 316 6aa1ad-6aa1c6 312->316 315->316 317 6aa1ca-6aa1e2 316->317 318 6aa1c8 316->318 319 6aa1e8 317->319 320 6aa1e4-6aa1e6 317->320 318->317 321 6aa1ea-6aa202 319->321 320->321 322 6aa208 321->322 323 6aa204-6aa206 321->323 324 6aa20a-6aa222 322->324 323->324 325 6aa228 324->325 326 6aa224-6aa226 324->326 327 6aa22a-6aa24c GetCurrentProcess IsWow64Process 325->327 326->327 328 6aa24e-6aa252 327->328 329 6aa256 327->329 328->329 330 6aa254 328->330 331 6aa258-6aa2ff call 6a4190 * 2 call 6a4490 call 6a43b0 call 6ad23c 329->331 330->331 342 6aa301-6aa303 331->342 343 6aa305 331->343 344 6aa307-6aa333 call 6a4190 342->344 343->344 347 6aa339 344->347 348 6aa335-6aa337 344->348 349 6aa33b-6aa376 call 6a4290 call 6ac810 call 6aa9b0 347->349 348->349 356 6aa378-6aa37e 349->356 357 6aa3b2-6aa3bc 349->357 358 6aa38f-6aa3a1 356->358 359 6aa380-6aa38c call 6a2aa0 356->359 360 6aa3c8-6aa3d8 call 6aa8b0 357->360 361 6aa3be-6aa3c3 call 6a2aa0 357->361 364 6aa3a3-6aa3a5 358->364 365 6aa3a7 358->365 359->358 370 6aa3da-6aa3e0 360->370 371 6aa413-6aa41d 360->371 361->360 369 6aa3a9-6aa3ad call 6a29d0 364->369 365->369 369->357 373 6aa3ee-6aa400 370->373 374 6aa3e2-6aa3eb call 6a2aa0 370->374 375 6aa429-6aa435 call 6aaac0 371->375 376 6aa41f-6aa424 call 6a2aa0 371->376 378 6aa402-6aa404 373->378 379 6aa406 373->379 374->373 385 6aa46d-6aa477 375->385 386 6aa437-6aa43d 375->386 376->375 384 6aa408-6aa40e call 6a29d0 378->384 379->384 384->371 390 6aa479-6aa47e call 6a2aa0 385->390 391 6aa483-6aa48f call 6aaac0 385->391 388 6aa448-6aa45a 386->388 389 6aa43f-6aa443 call 6a2aa0 386->389 393 6aa45c-6aa45e 388->393 394 6aa460 388->394 389->388 390->391 400 6aa491-6aa497 391->400 401 6aa4c7-6aa4cd 391->401 397 6aa462-6aa468 call 6a29d0 393->397 394->397 397->385 402 6aa499-6aa49d call 6a2aa0 400->402 403 6aa4a2-6aa4b4 400->403 404 6aa4d9-6aa4df 401->404 405 6aa4cf-6aa4d4 call 6a2aa0 401->405 402->403 407 6aa4ba 403->407 408 6aa4b6-6aa4b8 403->408 410 6aa4eb-6aa509 call 6ad22b 404->410 411 6aa4e1-6aa4e6 call 6a2a40 404->411 405->404 412 6aa4bc-6aa4c2 call 6a29d0 407->412 408->412 411->410 412->401
                                                                            APIs
                                                                              • Part of subcall function 006A89F0: new.LIBCMT ref: 006A89F2
                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 006AA23C
                                                                            • IsWow64Process.KERNEL32(00000000,?,?,?,?), ref: 006AA243
                                                                            • new.LIBCMT ref: 006AA2D9
                                                                              • Part of subcall function 006A29D0: memmove.VCRUNTIME140(00000001,006A34BC,458BFFFE,00000001,00000000,?,006A34BC,00000000,006B036C,00000001), ref: 006A29EB
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AB3
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AC0
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2ACD
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AD8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Process$CurrentWow64memmove
                                                                            • String ID: Data$SOFTWARE\Classes\CLSID\$\MiscStatus\1${d07606c8-6532-4d75-a46d-f5f5ac6ef74a}
                                                                            • API String ID: 1129509905-531586979
                                                                            • Opcode ID: 8d1724d1b23b6712b356b1c2773503dbf69277b3e3546c9df31c1990d568a532
                                                                            • Instruction ID: 0d7748faaa62a1b25a7538e2aa055708063d4b1dd89fd4f925171893741e5e22
                                                                            • Opcode Fuzzy Hash: 8d1724d1b23b6712b356b1c2773503dbf69277b3e3546c9df31c1990d568a532
                                                                            • Instruction Fuzzy Hash: 94C18070A04204DFEB14EFA8D844BAEBBB6FF06304F10455EE4129B292C7B59D45CFA6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2060 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 417 6a2060-6a2072 call 6a1b30 419 6a2077-6a207e 417->419 420 6a20eb-6a20ec 419->420 421 6a2080-6a2087 419->421 421->420 422 6a2089-6a20c4 SetServiceStatus 421->422 423 6a20df-6a20e5 SetEvent 422->423 424 6a20c6-6a20dc GetLastError call 6a1aa0 422->424 423->420 424->423
                                                                            APIs
                                                                              • Part of subcall function 006A1B30: new.LIBCMT ref: 006A1B62
                                                                            • SetServiceStatus.ADVAPI32(006B4768), ref: 006A20BC
                                                                            • GetLastError.KERNEL32 ref: 006A20C6
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            • SetEvent.KERNEL32 ref: 006A20E5
                                                                            Strings
                                                                            • ServiceCtrlHandler : CtrlCode = 0x%x, xrefs: 006A2068
                                                                            • ws_update_service, xrefs: 006A206D, 006A20D2
                                                                            • ServiceCtrlHandler: SetServiceStatus returned error [%d], xrefs: 006A20CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorEventLastServiceStatus
                                                                            • String ID: ServiceCtrlHandler : CtrlCode = 0x%x$ServiceCtrlHandler: SetServiceStatus returned error [%d]$ws_update_service
                                                                            • API String ID: 1851023558-1142061411
                                                                            • Opcode ID: a0c296a956e5463bc5d5b079233acfe2558189303fe4769cd6b8d5891a06ef79
                                                                            • Instruction ID: 66a6c2bc099c6856c0f3eead5d99b1f925a3f5c0a0a62f31c0f84b37cdf8a4ec
                                                                            • Opcode Fuzzy Hash: a0c296a956e5463bc5d5b079233acfe2558189303fe4769cd6b8d5891a06ef79
                                                                            • Instruction Fuzzy Hash: 42F0A9F6580310ABE7203BA4AE19B873EA7EB53754F015220F60511262DFB108C4CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A20F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 427 6a20f0-6a2142 call 6a1b30 WaitForSingleObject 430 6a2157-6a2166 call 6a1b30 427->430 431 6a2144-6a214b call 6a2200 427->431 434 6a216b-6a2181 430->434 435 6a2150 431->435 435->430
                                                                            APIs
                                                                              • Part of subcall function 006A1B30: new.LIBCMT ref: 006A1B62
                                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 006A213A
                                                                              • Part of subcall function 006A2200: CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_7a176276-e800-4daa-b5e8-7febbd3efc4b,DD4A9CAB,?,?,?,006AE456,000000FF), ref: 006A223D
                                                                              • Part of subcall function 006A2200: new.LIBCMT ref: 006A224F
                                                                              • Part of subcall function 006A2200: new.LIBCMT ref: 006A226F
                                                                              • Part of subcall function 006A2200: memset.VCRUNTIME140(00000000,00000000,00000038,?,?,006AE456,000000FF), ref: 006A2285
                                                                              • Part of subcall function 006A2200: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000038,?,?,006AE456,000000FF), ref: 006A22B9
                                                                              • Part of subcall function 006A2200: CloseHandle.KERNEL32(00000000,?,00000038,?,?,006AE456,000000FF), ref: 006A22C0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$CloseCreateEventHandlememset
                                                                            • String ID: %s enter {$%s exit }$ServiceWorkerThread$ws_update_service
                                                                            • API String ID: 2403714371-878017133
                                                                            • Opcode ID: 9d3702215f206935332d70bad10446b5b5f82689b633d830d2fe784b793a3115
                                                                            • Instruction ID: 8ec7a6889eea3eba9124aea344ce83e5b7a50207767172a0969d54e7539f559f
                                                                            • Opcode Fuzzy Hash: 9d3702215f206935332d70bad10446b5b5f82689b633d830d2fe784b793a3115
                                                                            • Instruction Fuzzy Hash: 31012BF6A84304BBD350BB58DD03F8BBFAAE746B60F010329F515926C1EA7119108F60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A9AE0 Relevance: 6.0, APIs: 4, Instructions: 41threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 463 6a9ae0-6a9afe 464 6a9b00-6a9b13 GetThreadId GetCurrentThreadId 463->464 465 6a9b25-6a9b42 CreateThread 463->465 466 6a9b45-6a9b53 call 6ad22b 464->466 467 6a9b15-6a9b1e CloseHandle 464->467 465->466 467->465
                                                                            APIs
                                                                            • GetThreadId.KERNEL32(?), ref: 006A9B02
                                                                            • GetCurrentThreadId.KERNEL32 ref: 006A9B0A
                                                                            • CloseHandle.KERNEL32(?), ref: 006A9B18
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00009C10,?,00000000,?), ref: 006A9B3C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$CloseCreateCurrentHandle
                                                                            • String ID:
                                                                            • API String ID: 2527425298-0
                                                                            • Opcode ID: a666ae15956a8ab2d5fec6c9f47182acf6967eb9a66a862ca5ff876c74e3c1ef
                                                                            • Instruction ID: 961016d2980f8573f18ac72ae5c9b412360234a4e802a519c1b2f6b7daa7bdd7
                                                                            • Opcode Fuzzy Hash: a666ae15956a8ab2d5fec6c9f47182acf6967eb9a66a862ca5ff876c74e3c1ef
                                                                            • Instruction Fuzzy Hash: 8F014F74600208AFD710EF65EC49B5AFBE9FF49711F204269E909D7240DB70A990CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A22F3 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 470 6a22f3-6a2357 call 6a1aa0 _CxxThrowException 475 6a2359-6a235d call 6a6180 470->475 476 6a235f-6a2369 470->476 475->476 477 6a236b-6a2373 call 6ad4dc 476->477 478 6a2376-6a2387 476->478 477->478
                                                                            APIs
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            • _CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 006A2312
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow
                                                                            • String ID: Error loading information %s$ws_update_service
                                                                            • API String ID: 432778473-4076271563
                                                                            • Opcode ID: 453d2bd84b5a63aa8211eb92e528176546206b246c7b761d69187fda21f23f63
                                                                            • Instruction ID: 31119c292b7078cb1b2b1a3bb4f96e4f4446bafe6b4557d7aae163af4c03fa85
                                                                            • Opcode Fuzzy Hash: 453d2bd84b5a63aa8211eb92e528176546206b246c7b761d69187fda21f23f63
                                                                            • Instruction Fuzzy Hash: DD01B5B5A44204AFE710EF58C815F9ABBEAEF0AB10F10416DF915977C1DBB56D008B94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A1B30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 487 6a1b30-6a1b5e 488 6a1b9d-6a1bab call 6a4f80 487->488 489 6a1b60-6a1b9b call 6ad23c call 6a4d80 487->489 491 6a1bae-6a1bbd 488->491 489->488 489->491
                                                                            APIs
                                                                            • new.LIBCMT ref: 006A1B62
                                                                              • Part of subcall function 006AD23C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD263
                                                                              • Part of subcall function 006A4D80: new.LIBCMT ref: 006A4DDD
                                                                              • Part of subcall function 006A4D80: InitializeCriticalSection.KERNEL32(00000004), ref: 006A4DF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalInitializeSectionmalloc
                                                                            • String ID:
                                                                            • API String ID: 4141300597-0
                                                                            • Opcode ID: d24aceaa50ec36213ee5d6b0e75caf0b58a96a78b76ca395bbfe08c448e6f74e
                                                                            • Instruction ID: ea9ccc4234003d4ab0f673a416c638f0cc39c6221e5ff44a5fd7b2e679059fbf
                                                                            • Opcode Fuzzy Hash: d24aceaa50ec36213ee5d6b0e75caf0b58a96a78b76ca395bbfe08c448e6f74e
                                                                            • Instruction Fuzzy Hash: 641184B1A10649AFDB04EF55CD01BAA77E9FB46710F10436AE81597390FBB0ED40CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006AAAC0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 496 6aaac0-6aab11 SHGetSpecialFolderPathA 497 6aab13-6aab15 496->497 498 6aab17-6aab1d 496->498 499 6aab29-6aab48 call 6a27b0 call 6ad22b 497->499 500 6aab20-6aab25 498->500 500->500 501 6aab27 500->501 501->499
                                                                            APIs
                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002A,00000000,?), ref: 006AAAF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: FolderPathSpecial
                                                                            • String ID:
                                                                            • API String ID: 994120019-0
                                                                            • Opcode ID: 37b9be6b38899aa05e2b484e053a9dc086584c7df2b3246d7c91c7a57373e2fa
                                                                            • Instruction ID: 3eaab6950b2ea99f456a5b4441242679fafa6c9cc0ce94b0345e1f7b148d78d5
                                                                            • Opcode Fuzzy Hash: 37b9be6b38899aa05e2b484e053a9dc086584c7df2b3246d7c91c7a57373e2fa
                                                                            • Instruction Fuzzy Hash: 4C01D470A042189BDB24EF24CC157FABBB6AB06304F0002DED58657381DBB55EC9CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4F80 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00002710,?,00000000,?), ref: 006A4FC2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: __stdio_common_vsprintf
                                                                            • String ID:
                                                                            • API String ID: 9700413-0
                                                                            • Opcode ID: 3cae84d183857a3bb6afce12c1f7507bb00247dfafae94f02a6f52a10e996ba4
                                                                            • Instruction ID: a3a08c40c10daf5fdf3a4450ff879bce827f349078d27d1aee265786d9dc6f60
                                                                            • Opcode Fuzzy Hash: 3cae84d183857a3bb6afce12c1f7507bb00247dfafae94f02a6f52a10e996ba4
                                                                            • Instruction Fuzzy Hash: C101A471600208AFDB04EF58DC99EAF77BAEF89310F004099F90997241CB71AE60DBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A9A70 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 515 6a9a70-6a9a8e 516 6a9a9e-6a9aa9 515->516 517 6a9a90-6a9a97 FindCloseChangeNotification 515->517 518 6a9aba-6a9abe 516->518 519 6a9aab-6a9ab5 call 6a9da0 516->519 517->516 521 6a9acb-6a9adb call 6ad22b 518->521 522 6a9ac0-6a9ac8 call 6ad4dc 518->522 519->518 522->521
                                                                            APIs
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 006A9A91
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeCloseFindNotification
                                                                            • String ID:
                                                                            • API String ID: 2591292051-0
                                                                            • Opcode ID: c91e600038048cfc8a51a875021ca60d7ca736ab877104e6bc5c5989afc84154
                                                                            • Instruction ID: 71afca75e0383bd1a4a05ac8199a80fdd896006ecad9f23dcde6ba4e0b75b743
                                                                            • Opcode Fuzzy Hash: c91e600038048cfc8a51a875021ca60d7ca736ab877104e6bc5c5989afc84154
                                                                            • Instruction Fuzzy Hash: 51F0A4705003095BD724FF54D9557AABFE6EF06300F10445DEE8697341DB71AD84CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A9880 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,006A38C8), ref: 006A9881
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: bdb9e38e0ae27caadb66b2360009cbde2139d3eacd24fe323ce07644fddbd80e
                                                                            • Instruction ID: a41fb3102c7f2638a7dba00368ded52b22ea1f4ed65595d537452d41c0475b1c
                                                                            • Opcode Fuzzy Hash: bdb9e38e0ae27caadb66b2360009cbde2139d3eacd24fe323ce07644fddbd80e
                                                                            • Instruction Fuzzy Hash: 34B0926440160005AE282AB85A086DA2B1359873E5BE82F91D4748A3E1CA3D9C4BE921
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 006AB670 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 194serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006A1B30: new.LIBCMT ref: 006A1B62
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,DD4A9CAB,00000000,00000000), ref: 006AB6BF
                                                                            • _CxxThrowException.VCRUNTIME140(?,006B3210,?,Error on service control manager), ref: 006AB717
                                                                            • GetLastError.KERNEL32 ref: 006AB6CB
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006AB7E3
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000005,?,00000004,?,00000003), ref: 006AB7EF
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?,00000004,?,00000003), ref: 006AB7F8
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000,00000002,00000004,?,?,?,?,?,?,?,00000005,?), ref: 006AB893
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?), ref: 006AB8A0
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00000005,?), ref: 006AB8A3
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AB3
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AC0
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2ACD
                                                                              • Part of subcall function 006A2AA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AD8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Service$_invalid_parameter_noinfo_noreturn$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupStartUpService$Error Creating services$Error Creating services %d$Error on service control manager$Error on service control manager: %d$Service Display name: %s$Service name: %s$ServiceExe path: %s$stealth_manager
                                                                            • API String ID: 1505281203-3321287816
                                                                            • Opcode ID: 7a9fe8523f35c1f920a618048eddbec40d5602407cf986efc5e5ffc1b30e2fb8
                                                                            • Instruction ID: 9e09a2819a69a90ddfcb005798905b70d2769e7abb4a322eb45e3c1323d99799
                                                                            • Opcode Fuzzy Hash: 7a9fe8523f35c1f920a618048eddbec40d5602407cf986efc5e5ffc1b30e2fb8
                                                                            • Instruction Fuzzy Hash: 807161B0A40258EFEB10EBA4CC56BEEBBBAEF46700F500019F501AB1C2D7B55D858F65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006AB940 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 212serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006A1B30: new.LIBCMT ref: 006A1B62
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,DD4A9CAB,00000000,00000000), ref: 006AB98F
                                                                            • CreateServiceA.ADVAPI32(00000000,?,?,C0000012,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006ABA66
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0000000B,?,0000000A,?,00000009), ref: 006ABA76
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?,0000000A,?,00000009), ref: 006ABA7F
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            • _CxxThrowException.VCRUNTIME140(?,006B3210,?,00000000,?,?,?,?,?,?,?,?,?,?,0000000B,?), ref: 006ABAB9
                                                                            • ChangeServiceConfig2W.ADVAPI32(00000000,00000002,0000000A,?,?,?,?,?,?,?,0000000B,?), ref: 006ABB98
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?), ref: 006ABBA5
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0000000B,?), ref: 006ABBA8
                                                                            • GetLastError.KERNEL32 ref: 006ABC27
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ErrorLast$ChangeConfig2CreateExceptionManagerOpenThrow
                                                                            • String ID: %s enter {$%s exit }$CStealthManager::setupProcessMonitorService$Error Creating services %d$Error on service control manager: %d$Service display name: %s$Service name: %s$Service path: %s$stealth_manager
                                                                            • API String ID: 2238952430-1689939351
                                                                            • Opcode ID: 087d9b2ffc1d6ea2a2d61d9194d976d9d2dca6f64be3c935f37fb9e0cb81987d
                                                                            • Instruction ID: 8518a6da1d63e7882bdb4ed3ee7ff8c15c15eb80390de67c0eec28b0ad6b9b09
                                                                            • Opcode Fuzzy Hash: 087d9b2ffc1d6ea2a2d61d9194d976d9d2dca6f64be3c935f37fb9e0cb81987d
                                                                            • Instruction Fuzzy Hash: 07815FB0A40218EFEB10EB94CC56BEEBBB6EB06700F504159F505BB2C2DBB15D858F65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A9C72 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 006A1AA0: new.LIBCMT ref: 006A1AD2
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306), ref: 006A9CA1
                                                                            • SetEvent.KERNEL32(00000000), ref: 006A9CAE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 006A9CB5
                                                                            • __std_exception_destroy.VCRUNTIME140(?), ref: 006A9CC6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateHandle__std_exception_destroy
                                                                            • String ID: Global\Exit_5491c4d3-0a5f-4898-bec4-cd906998e306$Thread error: %s$Unknown exception$fxstd
                                                                            • API String ID: 1146585969-2499111489
                                                                            • Opcode ID: e82e196a3aeb268d751834f7d2ba190c40db65f4062a2a51cd13e8013a980381
                                                                            • Instruction ID: d12f8e997ffa5c1839508c6ed9cf7dd91b3469c9e316e3d4027a208af571b88e
                                                                            • Opcode Fuzzy Hash: e82e196a3aeb268d751834f7d2ba190c40db65f4062a2a51cd13e8013a980381
                                                                            • Instruction Fuzzy Hash: 3BF0A0F0F81601ABFB107B609C0EFDF7EA7AF05705F100114F906B6282D7A58D858B65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A59D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,?,?,?,?,00000000,006AEB96,000000FF), ref: 006A5A40
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,?,?,?,?,?,00000000,006AEB96,000000FF), ref: 006A5A69
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006AEB96,000000FF), ref: 006A5ABB
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,006AEB96), ref: 006A5B3A
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,006AEB96), ref: 006A5B62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$Xlength_error@std@@Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 2690457442-4289949731
                                                                            • Opcode ID: 14ebc1175d683a147506ec3bfcdea9ac397e1360b4097c50bab9f79a8734bef7
                                                                            • Instruction ID: 9981cefa43118db079b4ede67595d6957d91416d97df645f5db2580732f20675
                                                                            • Opcode Fuzzy Hash: 14ebc1175d683a147506ec3bfcdea9ac397e1360b4097c50bab9f79a8734bef7
                                                                            • Instruction Fuzzy Hash: 79614C71700609DFCB24DF58D9908AAB7A7FF86315720866EE946CB210D731ED56CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A6010 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • new.LIBCMT ref: 006A606A
                                                                              • Part of subcall function 006AD23C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD263
                                                                            • InitializeCriticalSection.KERNEL32(00000004), ref: 006A6081
                                                                            • new.LIBCMT ref: 006A608C
                                                                              • Part of subcall function 006AD23C: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD244
                                                                            • InitializeConditionVariable.KERNEL32(00000004), ref: 006A60A3
                                                                            • new.LIBCMT ref: 006A60AE
                                                                              • Part of subcall function 006AD23C: Concurrency::cancel_current_task.LIBCPMT ref: 006AD25B
                                                                            • new.LIBCMT ref: 006A60DC
                                                                            • new.LIBCMT ref: 006A6107
                                                                            • new.LIBCMT ref: 006A6135
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize$Concurrency::cancel_current_taskConditionCriticalSectionVariable_callnewhmalloc
                                                                            • String ID:
                                                                            • API String ID: 1909774165-0
                                                                            • Opcode ID: db6604cab5fe2729cf1dadcbcd6cab5155629483ec0083ca0b2f168b3b89eef1
                                                                            • Instruction ID: b1af8968f000f6350d5f844641c5054f729efd859b89be03f291ce250d99f249
                                                                            • Opcode Fuzzy Hash: db6604cab5fe2729cf1dadcbcd6cab5155629483ec0083ca0b2f168b3b89eef1
                                                                            • Instruction Fuzzy Hash: 984104B0910705AFE3009F61C849B96BFE5FF85310F15C65AE5098B7A1E7B9A984CBC4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A28B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,006A280F,?,00000000,0000023A,?,?,?,006A10E4,Pacific/Marquesas,00000011), ref: 006A28CA
                                                                              • Part of subcall function 006A2BA0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,006A2923,00000000,0000023A,?,?,00000000,?,006A280F,?,00000000,0000023A), ref: 006A2BB6
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,00000000,?,006A280F,?,00000000,0000023A,?,?,?,006A10E4,Pacific/Marquesas,00000011), ref: 006A28EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1960685668-4289949731
                                                                            • Opcode ID: 1701a84c75b155ff2a274aeae83a241425122f4ba7163a1b3219d6d17347dd14
                                                                            • Instruction ID: 1641c05d0b9e33ac5a4468345372bb554485eeee0a02b9d4e32f67e493edabef
                                                                            • Opcode Fuzzy Hash: 1701a84c75b155ff2a274aeae83a241425122f4ba7163a1b3219d6d17347dd14
                                                                            • Instruction Fuzzy Hash: 1F31A2323403128FD720AF5DE850B5BF7E6EB96B61F100A6EE586C7641D7B29C408BE5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,006A41E0,?,?,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\), ref: 006A42AA
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,006A41E0,?,?,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\), ref: 006A42CB
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,006A41E0,?,?,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\), ref: 006A4305
                                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,006A41E0,?,?,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\), ref: 006A436E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xout_of_range@std@@$Xlength_error@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 3597620626-4289949731
                                                                            • Opcode ID: d90d0e0005b9531165c7fa5edcf82fbd1926c7824b2a0b94d92636ca27c002d3
                                                                            • Instruction ID: 05c529892e0932828e910cbdc4bb7bcd553293561d38c0c8baa00891649fc72c
                                                                            • Opcode Fuzzy Hash: d90d0e0005b9531165c7fa5edcf82fbd1926c7824b2a0b94d92636ca27c002d3
                                                                            • Instruction Fuzzy Hash: A1319D32304310DB8B24AF59EC8096BF7E6EFD67113110A6EE556C7210DFB1AD51CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A468A
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A46AD
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A46C8
                                                                            • memmove.VCRUNTIME140(?,?,DD4A9CAC,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB), ref: 006A472F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$Xout_of_range@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 3326265527-4289949731
                                                                            • Opcode ID: c552bede234a3a6be0d466cd06dd89545dd12663f9e6102116ba146e9c35296d
                                                                            • Instruction ID: 5f98c1f509dd58eda8ae2693599590cf91e9c01903f73d487f4106651908a789
                                                                            • Opcode Fuzzy Hash: c552bede234a3a6be0d466cd06dd89545dd12663f9e6102116ba146e9c35296d
                                                                            • Instruction Fuzzy Hash: 5D319F323012418FDB24AF5CEC80A6BB7E6EFD6751B100A6EE456C7251DBB1EC40CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2A40 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A50
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A64
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A71
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A7E
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A49EC,?,?,?), ref: 006A2A89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: Ij
                                                                            • API String ID: 3668304517-1760422038
                                                                            • Opcode ID: a6d745edd926885f616f9539c3844dddc6d76251444b3f9f3893c75ceafa6973
                                                                            • Instruction ID: adac05ba77cfb92c7a633fff79da208c2294717e1624767fae1cbf2a5afecd41
                                                                            • Opcode Fuzzy Hash: a6d745edd926885f616f9539c3844dddc6d76251444b3f9f3893c75ceafa6973
                                                                            • Instruction Fuzzy Hash: 0CF01C705402064BEB6C7BFCECAD56F7B97AB0A325B101728EA57C2651DA219CD0CE15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,006AA2B8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\), ref: 006A44AA
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,006AA2B8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\), ref: 006A44CD
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,?,?,006AA2B8,?,00000000,000000FF,{d07606c8-6532-4d75-a46d-f5f5ac6ef74a},00000026,SOFTWARE\Classes\CLSID\), ref: 006A4511
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@Xout_of_range@std@@memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 1352685159-4289949731
                                                                            • Opcode ID: 49ad5b62babe9b518e1dbeecb1565b41972f37bd95ddc56fb2304dc472fb56a0
                                                                            • Instruction ID: 3ada127d32dfaf0c8709e7febfa3bdea40348f9f2dfa53972ee676d9643a01eb
                                                                            • Opcode Fuzzy Hash: 49ad5b62babe9b518e1dbeecb1565b41972f37bd95ddc56fb2304dc472fb56a0
                                                                            • Instruction Fuzzy Hash: D421BD713002059F9724EF5DEC80A9AB7EBEF89754300453DE405C7200DBB0EC55CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A48D0 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(DD4A9CAB,?,?,?), ref: 006A4954
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(DD4A9CAB,?,?,?), ref: 006A496A
                                                                            • new.LIBCMT ref: 006A4971
                                                                            • new.LIBCMT ref: 006A4985
                                                                              • Part of subcall function 006AD23C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,006A1B67,0000001C,DD4A9CAB,?,?,?,006AE36F,000000FF,?,006A212F,ws_update_service,%s enter {,ServiceWorkerThread,DD4A9CAB), ref: 006AD263
                                                                            • memmove.VCRUNTIME140(00000000,?,?,?), ref: 006A49D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$mallocmemmove
                                                                            • String ID:
                                                                            • API String ID: 186744070-0
                                                                            • Opcode ID: cac2d5458aed09e70425bc89bd85185881fdbbb391baff0729413b29c0901ec2
                                                                            • Instruction ID: 8dc2892324a74d499e65d98bdd28d20e3ac706e841f3089645c59578c49c9298
                                                                            • Opcode Fuzzy Hash: cac2d5458aed09e70425bc89bd85185881fdbbb391baff0729413b29c0901ec2
                                                                            • Instruction Fuzzy Hash: B44193B16006009BDB24EF28DD8166BB7EAEB86750B20072DE456C7790EBB0ED15CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A5170 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,006A5109,?,?,?,?,006A5058,?), ref: 006A518C
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,3FFFFFFF,?,?,006A5109,?,?,?,?,006A5058,?), ref: 006A51A7
                                                                            • new.LIBCMT ref: 006A51AE
                                                                            • memmove.VCRUNTIME140(00000000,?,?), ref: 006A51D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@$memmove
                                                                            • String ID:
                                                                            • API String ID: 2874220160-0
                                                                            • Opcode ID: e1ed50747ce39a95e4a0df899d9e8d32ca29eac059f9ca56359602f794be1d6b
                                                                            • Instruction ID: 9b5dd5032b4f9ac1d46084fb97f1924e83995e731d795c1eb83e6f90e281bd09
                                                                            • Opcode Fuzzy Hash: e1ed50747ce39a95e4a0df899d9e8d32ca29eac059f9ca56359602f794be1d6b
                                                                            • Instruction Fuzzy Hash: 5E11B1B1A10A02AFD718FF68C881A7EF7AAFB463407104639E916C3250E771ED15CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4860 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A3F0C,?), ref: 006A4870
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A3F0C,?), ref: 006A4888
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A3F0C,?), ref: 006A4895
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A3F0C,?), ref: 006A48A2
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A3F0C,?), ref: 006A48AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: fcf77e5bf584fcf84beeec32c56d5b9dee160e2ab07dfa9dfeb2057505eea920
                                                                            • Instruction ID: cba97d862e76862f0526c8c11dbd943343689ada9111757314db551c7a34cfde
                                                                            • Opcode Fuzzy Hash: fcf77e5bf584fcf84beeec32c56d5b9dee160e2ab07dfa9dfeb2057505eea920
                                                                            • Instruction Fuzzy Hash: 85F05E745001444FFB5C7BECAC9866E3BA7EB86361B100669E803C2211DEA5ECC0CE11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A5110 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A4EC7,?,?,?,?,?,006AE7D0,000000FF,?,006A4E1B), ref: 006A5120
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A4EC7,?,?,?,?,?,006AE7D0,000000FF,?,006A4E1B), ref: 006A5135
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A4EC7,?,?,?,?,?,006AE7D0,000000FF,?,006A4E1B), ref: 006A5142
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A4EC7,?,?,?,?,?,006AE7D0,000000FF,?,006A4E1B), ref: 006A514F
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006A4EC7,?,?,?,?,?,006AE7D0,000000FF,?,006A4E1B), ref: 006A515A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 1acce069a8803f2df443ac96e4060db8cb0b5cc375bcbd010cb4d2afbc5981d4
                                                                            • Instruction ID: 16057dda0ecd3268d03b035c7407024c2d4b91924e5a2b5163617b87ee61af27
                                                                            • Opcode Fuzzy Hash: 1acce069a8803f2df443ac96e4060db8cb0b5cc375bcbd010cb4d2afbc5981d4
                                                                            • Instruction Fuzzy Hash: E5F0A0705006044BEB5CBBECA89D67F7B67EB06321B100729F823C1650DB319CC0CE11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC,?,?), ref: 006A45C8
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAB,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC,?,?), ref: 006A45E4
                                                                            • memmove.VCRUNTIME140(?,?,?,DD4A9CAB,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC,?,?), ref: 006A463E
                                                                              • Part of subcall function 006A4670: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A468A
                                                                              • Part of subcall function 006A4670: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A46AD
                                                                              • Part of subcall function 006A4670: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB,DD4A9CAC), ref: 006A46C8
                                                                              • Part of subcall function 006A4670: memmove.VCRUNTIME140(?,?,DD4A9CAC,DD4A9CAB,00000000,?,?,006A45AF,00000000,?,?,DD4A9CAC,?,?,006A9908,DD4A9CAB), ref: 006A472F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@$memmove$Xout_of_range@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1879775902-2556327735
                                                                            • Opcode ID: d1a78d5ceb63a37b9b2c6c852a31caf8b57ebe193ce85bc2d3f239922b6703ee
                                                                            • Instruction ID: b3ac46349f6da7b90b5c422eff68774df84bf9d30929a79e5b9461a4f29aaa37
                                                                            • Opcode Fuzzy Hash: d1a78d5ceb63a37b9b2c6c852a31caf8b57ebe193ce85bc2d3f239922b6703ee
                                                                            • Instruction Fuzzy Hash: A131A4327002109BE724BE5CEC8096AF7A7EBD7751720452EE49287751CBB1DC458BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A58C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,006A53A3,?,?,?,?,?,?,00000000), ref: 006A58D4
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,006A53A3,?,?,?,?,?,?,00000000), ref: 006A58E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@
                                                                            • String ID: string too long
                                                                            • API String ID: 1004598685-2556327735
                                                                            • Opcode ID: 7e3e233f2b72e4d8bc555a2cee7f1141d92c82020914eadf9eb0d89cf793dabd
                                                                            • Instruction ID: 6b208bb560c810cc34a766d9fe4d1e005582fb18adda41f458c8feaf23bf5fde
                                                                            • Opcode Fuzzy Hash: 7e3e233f2b72e4d8bc555a2cee7f1141d92c82020914eadf9eb0d89cf793dabd
                                                                            • Instruction Fuzzy Hash: E0215332704B90CBD731AA5CE800757FBE6ABA7731F11096EE1978B651C7B19C44CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2C40 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xbad_alloc@std@@YAXXZ.MSVCP140(DD4A9CAB,0000023A,?,00000000), ref: 006A2CC8
                                                                            • new.LIBCMT ref: 006A2CCF
                                                                            • new.LIBCMT ref: 006A2CE3
                                                                            • memmove.VCRUNTIME140(00000000,?,0000023A,00000000), ref: 006A2D2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@memmove
                                                                            • String ID:
                                                                            • API String ID: 2663607490-0
                                                                            • Opcode ID: 7301485aa669089b13c2c554c052f4e2f83571e81418c4c1b1d8cf1d795f00f3
                                                                            • Instruction ID: ae7a4e0c8d2d42b07b62768d4468a33badee520cb47158a0c5847b91c0519485
                                                                            • Opcode Fuzzy Hash: 7301485aa669089b13c2c554c052f4e2f83571e81418c4c1b1d8cf1d795f00f3
                                                                            • Instruction Fuzzy Hash: A031AEB16506029BD724BF2CC89076AB7E6EF46760F500A2DE85387782D771AD44CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4A70 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xbad_alloc@std@@
                                                                            • String ID:
                                                                            • API String ID: 3815834350-0
                                                                            • Opcode ID: 36c175023a5f3967d172e54f74fed0957f60e029d946e71a000301baf5a216e1
                                                                            • Instruction ID: 87f3fc06474ba8fd9e5fc79e28c23053c72948076292815effbf67eb41453704
                                                                            • Opcode Fuzzy Hash: 36c175023a5f3967d172e54f74fed0957f60e029d946e71a000301baf5a216e1
                                                                            • Instruction Fuzzy Hash: DAF027F26001400BE718F7B4AC06A2E778A9BA5314700023EF31BC7290FA31DD54DA1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2AA0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AB3
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AC0
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2ACD
                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A2AD8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 95ae80a75ff3640d6aa0c61b7ff58e49d24813e57251368edd5848d35445fccb
                                                                            • Instruction ID: 12717b10dbaa56c2c05f0d18ec717f480bbea97004114a9bcbe5e50185c0c351
                                                                            • Opcode Fuzzy Hash: 95ae80a75ff3640d6aa0c61b7ff58e49d24813e57251368edd5848d35445fccb
                                                                            • Instruction Fuzzy Hash: 6CE092701402064BEB587BEC9D6D16F7B97AB023517004614EA07D5610D630ECD0CE21
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A4190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\,?,?,?,?,?,?,00000017), ref: 006A41F7
                                                                            • memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,006AA286,SOFTWARE\Classes\CLSID\,?,?,?,?,?,?,00000017), ref: 006A4252
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 1146228739-2556327735
                                                                            • Opcode ID: 66a6f4c7d23ecda68a566cd996e3ec99f0be08e4ce1faffa6bc908b9d9b1fbe7
                                                                            • Instruction ID: 0cff46d599a4a72fe12b16d2f33c68c2e58a280e271a4fc664fefc3cac1fbb2e
                                                                            • Opcode Fuzzy Hash: 66a6f4c7d23ecda68a566cd996e3ec99f0be08e4ce1faffa6bc908b9d9b1fbe7
                                                                            • Instruction Fuzzy Hash: 053181323046148B8624AE5CEC8087AF7F7EFE6751360062FE146C7610DFA2AD458BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A5520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,-=j,00000000,00000000,00000000,00000000,00000002,75029350), ref: 006A557E
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-=j,?,00000000,00000000,00000000,00000000), ref: 006A55C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide
                                                                            • String ID: -=j
                                                                            • API String ID: 626452242-140233817
                                                                            • Opcode ID: 9441453eb1e9fd14710cda08aa45d28db82746c992e9610bd1c372b4bb722da5
                                                                            • Instruction ID: 08d56944e0f592023c1c9416d4684008d0ea233c66baccf94000c1d5cb7fd72f
                                                                            • Opcode Fuzzy Hash: 9441453eb1e9fd14710cda08aa45d28db82746c992e9610bd1c372b4bb722da5
                                                                            • Instruction Fuzzy Hash: 2921D371208301AFE710EF28DC82B6BBBE5EB89704F000A1DFA499A2C1C670DD44CF96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006AA9B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,DD4A9CAB), ref: 006AAA05
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryWindows
                                                                            • String ID: \sysnative$\system32
                                                                            • API String ID: 3619848164-3725051112
                                                                            • Opcode ID: c923e4afa7541dd706499c1b0e18fafd0527b422aaea95d6ec25a2b010010105
                                                                            • Instruction ID: e6dd893cc45b6471b8a76ffe557d402e7fba42bf60341d8568dbdff9394592c7
                                                                            • Opcode Fuzzy Hash: c923e4afa7541dd706499c1b0e18fafd0527b422aaea95d6ec25a2b010010105
                                                                            • Instruction Fuzzy Hash: 9221EFB0A043489FDB24EF54C905BEABBF5EB06700F00429EE2465B681CBB55E88CFD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 006A2AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,006B036C,006B036C,?,006A4B78,006B036C,00000001,DD4A9CAB,00000001,0000001C), ref: 006A2B04
                                                                            • memmove.VCRUNTIME140(006B036C,3A6E6961,4D656369,4D656369,006B036C,006B036C,?,006A4B78,006B036C,00000001,DD4A9CAB), ref: 006A2B4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2223130294.00000000006A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000005.00000002.2223055763.00000000006A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223155630.00000000006B0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223176350.00000000006B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000005.00000002.2223199623.00000000006B7000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_6a0000_svcAppUpdate.jbxd
                                                                            Similarity
                                                                            • API ID: Xlength_error@std@@memmove
                                                                            • String ID: string too long
                                                                            • API String ID: 1146228739-2556327735
                                                                            • Opcode ID: 9cff78eb073b1c974420425850bbe9513b89fed4c2e240c0f0a9cd28a23c57a0
                                                                            • Instruction ID: 56f790bf4ddd9dfaa6b7a657d803f969a603efd5f8b5632bbc8a8f45ee5c505a
                                                                            • Opcode Fuzzy Hash: 9cff78eb073b1c974420425850bbe9513b89fed4c2e240c0f0a9cd28a23c57a0
                                                                            • Instruction Fuzzy Hash: 1411B7325407025BD731AE5CD881AAAB7A7EF92330F054A6DE99647251C7709C44CFB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%