Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Agent.19085.17583.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Analysis ID:1425409
MD5:ac59acaacf35b2521c866250d3ac9240
SHA1:7ffa05d5c82c5c1a98ca5382c7944b58284dc68e
SHA256:3bfddde240eb1c8295e0ededcc4905ff180c40a37625058b71ae280988a370e6
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Agent.19085.17583.exe (PID: 5532 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe" MD5: AC59ACAACF35B2521C866250D3AC9240)
    • officesetup.exe (PID: 5640 cmdline: "C:\Windows\TEMP\officesetup.exe" /download C:\Windows\TEMP\Office.xml MD5: 2D87CE389DB6F9F4F2BB7AECF64042A9)
      • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeVirustotal: Detection: 10%Perma Link
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\dbs\el\sa1\target\x86\ship\click2run\en-us\SetupODT.pdb source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.00000237550C1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.dr
Source: Binary string: d:\dbs\el\sa1\target\x86\ship\click2run\en-us\SetupODT.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Kx source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.00000237550C1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A430407C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A431B110 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A431B110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A432FC20 FindFirstFileExA,0_2_00007FF6A432FC20
Source: Joe Sandbox ViewIP Address: 52.113.194.132 52.113.194.132
Source: Joe Sandbox ViewIP Address: 152.195.19.97 152.195.19.97
Source: Joe Sandbox ViewIP Address: 20.189.173.4 20.189.173.4
Source: Joe Sandbox ViewIP Address: 52.109.20.38 52.109.20.38
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754AD6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: http://127.0.0.1:13556/ServiceEnvironmentDataSessionInsiderSlabBehaviorReportedStateInsiderSlabBehav
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prC2RCDNForegroundUrlhttp://f.c2r.ts.cdn.office.net/prC2RDorisInterac
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prpoint
Source: officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: officesetup.exe, 00000003.00000002.3876994770.000000000130F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
Source: officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.LTO(r
Source: officesetup.exe, 00000003.00000003.2138327215.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3885968217.0000000004E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net
Source: officesetup.exe, 00000003.00000002.3885968217.0000000004E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/
Source: officesetup.exe, 00000003.00000002.3886196568.0000000004E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/D
Source: officesetup.exe, 00000003.00000002.3885968217.0000000004E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/N
Source: 818225-20240413-1536.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/50308
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/o
Source: officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20
Source: 818225-20240413-1536.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/16.0.14332.20685/
Source: officesetup.exe, 00000003.00000002.3884965002.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/ce
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140317681.0000000004CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/hed
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/to
Source: officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr0Dr
Source: officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C6E000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr53
Source: officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr53ecAH
Source: officesetup.exe, 00000003.00000002.3879949849.0000000003452000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr53n
Source: officesetup.exe, 00000003.00000003.2140430993.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr54
Source: officesetup.exe, 00000003.00000003.2140430993.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr555
Source: officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr9
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prcJ
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prcomen
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prlicy
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prm
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prm/
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prmon
Source: officesetup.exe, 00000003.00000003.2138359022.0000000004C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/prmonx
Source: officesetup.exe, 00000003.00000002.3879949849.0000000003452000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/promain
Source: officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net:80/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332
Source: officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net:80/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/16.0.14332.206
Source: officesetup.exe, 00000003.00000002.3885968217.0000000004E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.netj
Source: officesetup.exe, 00000003.00000002.3886196568.0000000004E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.netk
Source: officesetup.exe, 00000003.00000002.3886196568.0000000004E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.nety
Source: officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: officesetup.exe, 00000003.00000002.3878160329.000000000325D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://officecdn.m
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesj
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx.0/ios
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: http://www.openssl.org/support/faq.htmlwbRAND_init_fipsRAND_get_rand_methoddual
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: https://%2%.resources.office.net/%1%/%3%/%4%_%5%.appxOnDemandThrottleLevelAvailableBuildDmsClient::D
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadAppInfoQuery15https://api.addins.omex.office
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadteFoundo
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated:
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledlowR
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatede
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedBearer
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedpt
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/apps/removeMBI_SSL_SHORTmsm-auth.store.office.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryDeepLinkingServicehttps://api.addins.store.of
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/commerce/queryr
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/queryWithER
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeentFl
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeoadin
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryBearer
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryvents
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiFlag
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiarePoi
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiddLabely
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiiona
Source: officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.aadrm.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.aadrm.com/
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/D
Source: officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comOArtResourceServiceEndpointxx
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comt
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.addins.omex.office.net/api/addins/searchWin
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.addins.omex.office.net/appinfo/querySubName
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.office.com/app/queryAppStateQuery15https://api.addins.omex.office.net/appst
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplateHN
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.cortana.ai
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai3
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aiBearer
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.diagnostics.office.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.com1
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comr7022C
Source: officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedbackbon
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedbackled
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file:
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/fileBearer
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/filehttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/filerd
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com:
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.microsoftstream.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120035923.000000000343C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119863210.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/StreamVideoBasehttps://web.microsoftstream.com/video/NPPTQuickSt
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.office.net
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net1
Source: officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net3
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net5
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net8
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net8#-0--
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net:
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netD
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netX
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netf)
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netl(u(:0
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netv
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netw
Source: officesetup.exe, 00000003.00000003.2106377665.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.officescripts.microsoftusercontent.com/apih
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.onedrive.com
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.comMBI
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.comcent
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsMipPro
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsBearer
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://api.scheduler.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://apis.live.net/v5.0/
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/d
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection1
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/Underl
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://augloop.office.com
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://augloop.office.com/v2
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120035923.000000000343C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119863210.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.comAugloopPolymer1CdnStoragehttps://res.cdn.office.net/polymer/modelsAugloopP
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile6C
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cdn.entity.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/h
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fontstFlag
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abespack
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/D
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallationtClaig
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize5
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/led
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/low
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/lure
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/r
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies31
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesBearer
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesEve
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macv
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey1
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.netPI:
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://config.edge.skype.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office:
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Officet
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: https://config.office.com
Source: officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.office.com/api/filelist?Channel=PerpetualVL2021&Arch=x64&version=16.0.14332.20685&lid
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consentsc
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consentsUseLe
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cortana.ai
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cortana.ai/api
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/api-
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apiBearer
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apiV
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.aietlD
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.aijcge
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://cr.office.com
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cr.office.comtx
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://d.docs.live.net
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netK
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netMBI_SSLonedrivemobile.
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/0
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/https://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/i?
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com1
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com12
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com8_N
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies)
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesBearer
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerapp.officeapps.live.com/designerapptFlap
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dev.cortana.ai
Source: officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.ai6..;.-
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aiBearer
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/Flag
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://devnull.onenote.com
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devnull.onenote.com8
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devnull.onenote.comBearer
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://devnull.onenote.comt
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://directory.services.
Source: officesetup.exe, 00000003.00000003.2102947035.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=A
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ecs.office.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/DesignertAppDe
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: officesetup.exe, 00000003.00000003.2103936520.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.15726.20188/Production/CC?&Clientid=
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.000000000139E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.15726.20188/Production/CC?&Clientid=%7
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Officeb
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754AD6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: https://ecs.office.com/config/v2/OfficeetagAddProcessNameParameterToECSCallsdxhelper.exewinword.exe&
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.skype.com/registrar/prodSkypeRPSServiceUrlhttps://edge.skype.com/rpsMBI_SSLskype.com
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.skype.com/registrar/prodat
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://edge.skype.com/rps
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.skype.com/rpsml
Source: officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/451_1
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/631_0i
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1es
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1ledP
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1idSma
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1la
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626AuthorizationBearer
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626ctur0
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/all
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtmlrepa
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLosi.office
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/om01W
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/om20
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comtFlag
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechce8
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.0000000003332000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000332D000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidUserVoiceOf
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpastorage.cdn.office.net/%sF
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpastorage.cdn.office.net/%sFirstPartyAppQueryhttps://fpastorage.cdn.office.net/firstpartyap
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.com:
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://graph.ppe.windows.net
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://graph.ppe.windows.net/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://graph.windows.net
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://graph.windows.net/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.netpoint
Source: officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comag
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comvertedTenantL
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: officesetup.exe, 00000003.00000003.2138488273.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryOfficeOnlineContenthttps://insertmedia.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dMBI_SSL_SHORTofficeapps.live.comz
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dxpecte
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: officesetup.exe, 00000003.00000003.2107800001.0000000003299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1MBI_SSL_SHORTssl.
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1dSave
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: officesetup.exe, 00000003.00000003.2107800001.0000000003299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconsOfficeOnlineContentM
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconsd
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ic3.teams.office.com
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ic3.teams.office.comDB
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comODSIncidentsSdfUrlhttps://incidents.diagnosticssdf.office.co
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comrlResp
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comlag
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientl3
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoreAddInsWXPInClientStorehttps://inclient.store.offic
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://inclient.store.office.com/gyro/clientstoreag
Source: officesetup.exe, 00000003.00000002.3878933219.0000000003332000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000332D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppHomeR
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: officesetup.exe, 00000003.00000003.2138488273.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtOfficeOnlineContentF
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: officesetup.exe, 00000003.00000003.2138488273.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrMBI_SSL_SHORTssl.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: officesetup.exe, 00000003.00000003.2107800001.0000000003299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveMBI_SSL_SHORTssl.
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveusFixO
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: officesetup.exe, 00000003.00000003.2138488273.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediaMBI_SSL_SHORTofficeapps.
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://invites.office.com/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/Bearer
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech:
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechBearer
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechentFlaJ
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesBearer
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicestateIn:
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://lifecycle.office.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.comMBI_SSL_SHORThttps://lifecycle.office.com
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lifecycle.office.comX
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.microsoftonline.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.microsoftonline.com/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.comlag
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119183897.0000000003509000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140365466.0000000003509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizel
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.windows.local
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localace
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeN
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize-
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize00-62
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize551_1
Source: officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize:
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize?
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeDiagno
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeGates1
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeOnPane
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePaneCa0
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizePaner
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeQueue
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeShowPe
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeZ$
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeabels
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeabled
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeacheFi
Source: officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeag
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeages
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeale
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizealing
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizealingN
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeam
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeapes
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizease
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeaticSe
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeation
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeatureG
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeay
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebled
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizebonL
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeburl
Source: officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizece
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecege
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecker
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizectionC
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedate
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedes
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedh
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizee895
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeIncomL
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeceive
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeed
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeed2
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeed309
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeedC
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeisenpRr.
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeeleteR
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeem=
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeened
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeens
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeensy
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeentx
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeertHtm$
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeessReq
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeetFeat
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeexcel
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefic/
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeficd
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegH
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegcel
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizegnge
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehContem
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehange
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizehtty
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeid0
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeidO
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeion
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeities5S5/:h
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeities:S$/
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeitsy
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeity
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeityeE
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeityn
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeize
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeizela
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelag
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeledZ
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelen
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelosed
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizemeter
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenDocFa
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenant
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenateK$k(
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenc
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizend-
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizendRepo
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizened
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeng
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenge
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizengl
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizense
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizent
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizentFlag
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizentFlag7
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeoad
Source: officesetup.exe, 00000003.00000003.2140430993.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108986697.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeogger
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119183897.0000000003509000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140365466.0000000003509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeolssk3
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeontext
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizerce
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizersmb
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes-62-
Source: officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesdkd
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesled
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizespace
Source: officesetup.exe, 00000003.00000003.2140430993.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108986697.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizessage)
Source: officesetup.exe, 00000003.00000003.2140430993.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108986697.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizessagej
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesteK
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesultsR
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizet2geT
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetFlag
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeta
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizethMe=
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeties
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetiew
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetionaRa.t
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetionsO
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetsXH
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetures
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetv2
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetyn
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeuentRe
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeunt
Source: officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeup
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev3
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizev3E
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevas
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizevent/&
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexyon
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeyToCli
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeync
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeype
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1EventF
Source: officesetup.exe, 00000003.00000003.2107323740.00000000047F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://make.powerautomate.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.comImageToDocServiceEndpointhttps://imagetodoc.
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://management.azure.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://management.azure.com/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/t
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.comPlannerBaseUrlhttps://tasks.office.comPlannerEcsBaseUrlhttps://config.ed
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.action.office.com/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setcampaignaction:
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setcampaignactionMBI_SSL_SHORTmessaging.action.office.comBearer
Source: officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setuseraction16MBI_SSL_SHORTmessaging.action.office.comBearer
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setuseraction16SendAutoRenewActionhttps://
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.engagement.office.com/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorMBI_SSL_SHORTmessaging.engagement.
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16FailurM
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16MBI_SSL_SHORTmessaging.lifecycle.office.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16StoreUserStatushttps://odc.
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16c
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://messaging.office.com/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://metadata.templates.cdn.office.net/client/logAppAcquisitionLogginghttps://addinsinstallation.
Source: officesetup.exe, 00000003.00000002.3876994770.000000000130F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.edog.officeapps.live.com/mrodevicemgrsvc/api2
Source: officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com-1003
Source: officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/
Source: officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/(
Source: officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/1#
Source: officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/a
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/$s
Source: officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117689634.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113304722.0000000004E21000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114739488.0000000004E3A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/5030841d-c919-4594-8d
Source: officesetup.exe, 00000003.00000002.3876994770.000000000130F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api4
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/apiPas
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/apihttps://mrodevicemgr.edog.officeapps.liv
Source: officesetup.exe, 00000003.00000003.2140430993.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119669404.000000000329C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com:443/mrodevicemgrsvc/api/v2/C2RReleaseData/5030841d-c919-459
Source: officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com:443nel
Source: officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.comLseN
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.comoicetF
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.microsoftpersonalcontent.comMBI
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechBearer
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechef_
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechog
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ncus.contentsync.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ncus.pagecontentsync.
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754FC9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordhttps://login.windows.net/co
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordtChosen
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngerfFa
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImagehttps:
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellLiveProfileServicehttps://d
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.nett
Source: officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.n
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/nder_
Source: officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officeapps.live.com
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com$
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com.
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com2
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comB
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comV
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comX
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comes
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comffice.
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comffice.b
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comj
Source: officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comnamicC
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comnamicCD
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comnamicCN
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comnamicCR
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comnamicCl
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comq
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comt
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com~
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksal
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2106377665.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officepyservice.office.net/
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.0000000003452000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120035923.000000000343C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119863210.00000000033F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/ey9
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2106377665.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119220996.0000000003494000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionalityled2yH
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/ge2
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities1
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesOfficeAddInClassifierOfficeEntitiesUpdated
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesge
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://onedrive.live.com
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://onedrive.live.com/embed?
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/embed?iisc
Source: officesetup.exe, 00000003.00000003.2138488273.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comOneDriveLogUploadServicehttps://storage.live.com/clientlogs/uploadlocationM
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.000002375502C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.dr, officesetup.exe.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft1
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office.com/
Source: officesetup.exe, 00000003.00000003.2104119632.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108986697.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comiUrl
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comonH
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comt
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office365.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office365.com/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activitiess
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonEve
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonesp
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://outlook.office365.com/connectors
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectorsppDataFS
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/icC
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.comh
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/J
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookProvid
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pages.store.office.com/review/query
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/queryttic
Source: officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxAwsCgQueryhttps://
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: officesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonInit
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13ntFlaE
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.netPowerLiftGymBaseUrlhttps://powerlift.acompli.netSubstrateOffi
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://powerlift.acompli.net
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iospa
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: officesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetectt
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryFl
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://pushchannel.1drv.ms
Source: officesetup.exe, 00000003.00000003.2107323740.00000000047F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pushchannel.1drv.msreE
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonO
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://res.cdn.office.net
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: officesetup.exe, 00000003.00000003.2108671524.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39ResourceServiceEndpoint2https://fs.microsof
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39rV2gep
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.come
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicyBearer
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://settings.outlook.com
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://shell.suite.office.com:1443
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shell.suite.office.com:1443400_
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120035923.000000000343C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119863210.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work1
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workPowerBIGetDatasetsApihttps://api.pow
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/worked
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oau
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/workntFlag
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://staging.cortana.ai
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aiBearer
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.airl
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.cn/addinstemplatee
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://store.office.de/addinstemplate
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.de/addinstemplatet-
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://substrate.office.com
Source: officesetup.exe, 00000003.00000003.2121487639.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121208483.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048EB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139707126.00000000048EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accessssad
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2106377665.000000000329F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107601058.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWriteJ
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWriteven
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
Source: officesetup.exe, 00000003.00000003.2108573556.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initl
Source: officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comP
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comUWL
Source: officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comh
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.compcq
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilell
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://tasks.office.com
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://templatesmetadata.office.net/
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templatesmetadata.office.net/1
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templatesmetadata.office.net/OfficePythonServiceEndpointUrlhttps://service.officepy.microsof
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/ureSave
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlInsightsImmersivehttps
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.htmlenousS
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comBearer
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comt
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comy
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-deviceslag
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107773341.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3876994770.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121045739.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: officesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
Source: officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/Instala
Source: 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://webshell.suite.office.com
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comBearer
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comPInt
Source: officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comhttps://login.windows.net/common/oauth2/authorize
Source: officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comtos
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119220996.0000000003494000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138722885.000000000344C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139644912.000000000349D000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119527129.0000000003497000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137310149.0000000003439000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140261258.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879949849.000000000349C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx4J
Source: officesetup.exe, 00000003.00000003.2140862313.00000000049A9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120540160.00000000049A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxORedir
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: officesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosg
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://wus2.contentsync.
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119047830.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3880595030.0000000003503000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137936643.00000000034DE000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139673877.0000000003502000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://wus2.pagecontentsync.
Source: officesetup.exe, 00000003.00000002.3883235522.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137984699.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110915498.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117860030.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azur
Source: officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://www.odwebp.svc.ms
Source: officesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.odwebp.svc.msom
Source: officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drString found in binary or memory: https://www.yammer.com
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.00000237550C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_4559f647-0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4317C90 SetWindowLongPtrW,NtdllDefWindowProc_W,NtdllDefWindowProc_W,0_2_00007FF6A4317C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FC300: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A42FC300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile deleted: C:\Windows\Temp\__tmp_rar_sfx_access_check_5400375Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43206D40_2_00007FF6A43206D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43048E80_2_00007FF6A43048E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43134040_2_00007FF6A4313404
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430A46C0_2_00007FF6A430A46C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A431CE080_2_00007FF6A431CE08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42F5E2C0_2_00007FF6A42F5E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4311EA00_2_00007FF6A4311EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A431B1100_2_00007FF6A431B110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FF9400_2_00007FF6A42FF940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FA6640_2_00007FF6A42FA664
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42F76C00_2_00007FF6A42F76C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A432C7B80_2_00007FF6A432C7B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42F48400_2_00007FF6A42F4840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43289200_2_00007FF6A4328920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430C9280_2_00007FF6A430C928
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43138E40_2_00007FF6A43138E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43121500_2_00007FF6A4312150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43012240_2_00007FF6A4301224
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42F72880_2_00007FF6A42F7288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FC3000_2_00007FF6A42FC300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FA2FC0_2_00007FF6A42FA2FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43153700_2_00007FF6A4315370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43324D00_2_00007FF6A43324D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430B4F00_2_00007FF6A430B4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43206D40_2_00007FF6A43206D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4318D740_2_00007FF6A4318D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430AED40_2_00007FF6A430AED4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43320000_2_00007FF6A4332000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430F1000_2_00007FF6A430F100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A432FA140_2_00007FF6A432FA14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4312A300_2_00007FF6A4312A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4301A000_2_00007FF6A4301A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4335A780_2_00007FF6A4335A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42F1AA40_2_00007FF6A42F1AA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4314B180_2_00007FF6A4314B18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4305B200_2_00007FF6A4305B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4328B9C0_2_00007FF6A4328B9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430BB4C0_2_00007FF6A430BB4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4312CD80_2_00007FF6A4312CD8
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_001832E53_2_001832E5
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_001804283_2_00180428
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0018067F3_2_0018067F
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0043879E3_2_0043879E
Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\officesetup.exe 29D0E8520D754AEBAE73ABF685B328D0EEB9BFF7DCFB909B51D846FEB290C84D
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2068425422.0000022F4E517000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.000002375514E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2069026239.0000022F4E517000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal52.evad.winEXE@4/21@0/6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A42FB6E8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6A42FB6E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43185A4 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF6A43185A4
Source: C:\Windows\Temp\officesetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\84AD9063-7D4B-4EDA-8DA3-F20D3A848280Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\Temp\officesetup.exeMutant created: \Sessions\1\BaseNamedObjects\Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
Source: C:\Windows\Temp\officesetup.exeMutant created: \Sessions\1\BaseNamedObjects\Office.16.916BB0BF-2D21-4499-83C7-555DB4C3F8E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile created: C:\Windows\Temp\__tmp_rar_sfx_access_check_5400375Jump to behavior
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754FC9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754FC9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754FC9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023754FC9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeVirustotal: Detection: 10%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess created: C:\Windows\Temp\officesetup.exe "C:\Windows\TEMP\officesetup.exe" /download C:\Windows\TEMP\Office.xml
Source: C:\Windows\Temp\officesetup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess created: C:\Windows\Temp\officesetup.exe "C:\Windows\TEMP\officesetup.exe" /download C:\Windows\TEMP\Office.xmlJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: webservices.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\Temp\officesetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Temp\officesetup.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic file information: File size 3092254 > 1048576
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\dbs\el\sa1\target\x86\ship\click2run\en-us\SetupODT.pdb source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.00000237550C1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.dr
Source: Binary string: d:\dbs\el\sa1\target\x86\ship\click2run\en-us\SetupODT.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Kx source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.00000237550C1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Trojan.Agent.19085.17583.exe
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile created: C:\Windows\Temp\__tmp_rar_sfx_access_check_5400375Jump to behavior
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: section name: .didat
Source: SecuriteInfo.com.Trojan.Agent.19085.17583.exeStatic PE information: section name: _RDATA
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0040EA70 push ecx; ret 3_2_0040EA83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile created: C:\Windows\Temp\officesetup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeFile created: C:\Windows\Temp\officesetup.exeJump to dropped file
Source: C:\Windows\Temp\officesetup.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData 1.16Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\officesetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Temp\officesetup.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeMemory allocated: 23750870000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A430407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A430407C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A431B110 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A431B110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A432FC20 FindFirstFileExA,0_2_00007FF6A432FC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4321624 VirtualQuery,GetSystemInfo,0_2_00007FF6A4321624
Source: officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3876994770.000000000130F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3876994770.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121045739.00000000013C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4327658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6A4327658
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0043D449 mov eax, dword ptr fs:[00000030h]3_2_0043D449
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_00433251 mov ecx, dword ptr fs:[00000030h]3_2_00433251
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0043D48C mov eax, dword ptr fs:[00000030h]3_2_0043D48C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4330CA0 GetProcessHeap,0_2_00007FF6A4330CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4327658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6A4327658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43232D4 SetUnhandledExceptionFilter,0_2_00007FF6A43232D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4322490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6A4322490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43230F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6A43230F0
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0041A2FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0041A2FE
Source: C:\Windows\Temp\officesetup.exeCode function: 3_2_0040E4B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E4B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A431B110 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A431B110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeProcess created: C:\Windows\Temp\officesetup.exe "C:\Windows\TEMP\officesetup.exe" /download C:\Windows\TEMP\Office.xmlJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4335860 cpuid 0_2_00007FF6A4335860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF6A431A24C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A43206D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6A43206D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exeCode function: 0_2_00007FF6A4305164 GetVersionExW,0_2_00007FF6A4305164
Source: C:\Windows\Temp\officesetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Exploitation for Privilege Escalation		11
Masquerading		11
Input Capture		1
System Time Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
Process Injection		1
Modify Registry		LSASS Memory121
Security Software Discovery		Remote Desktop Protocol11
Input Capture		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Archive Collected Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets36
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Agent.19085.17583.exe10%VirustotalBrowse
SecuriteInfo.com.Trojan.Agent.19085.17583.exe8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\officesetup.exe0%ReversingLabs
C:\Windows\Temp\officesetup.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
http://officecdn.m0%Avira URL Cloudsafe
https://dev.cortana.ai6..;.-0%Avira URL Cloudsafe
https://ic3.teams.office.comDB0%Avira URL Cloudsafe
https://login.windows.localace0%Avira URL Cloudsafe
https://otelrules.svc.static.microsoft10%Avira URL Cloudsafe
https://api.cortana.ai30%Avira URL Cloudsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://d.docs.live.netK0%Avira URL Cloudsafe
https://incidents.diagnostics.office.comODSIncidentsSdfUrlhttps://incidents.diagnosticssdf.office.co0%Avira URL Cloudsafe
https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.0%Avira URL Cloudsafe
https://www.odwebp.svc.msom0%Avira URL Cloudsafe
https://d.docs.live.net0%VirustotalBrowse
https://webshell.suite.office.comPInt0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://useraudit.o365auditrealtimeingestion.manage.office.comofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
    		high
    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickrofficesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
      		high
      https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oauofficesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://login.windows.net/common/oauth2/authorizeamofficesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
            		high
            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/Flagofficesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://officecdn.mofficesetup.exe, 00000003.00000002.3878160329.000000000325D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://rpsticket.partnerservices.getmicrosoftkey.comofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://lookup.onenote.com/lookup/geolocation/v1officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                		high
                https://login.windows.net/common/oauth2/authorizeagofficesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://login.windows.localaceofficesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                      		high
                      https://login.windows.net/common/oauth2/authorizeexcelofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechogofficesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://login.windows.net/common/oauth2/authorizeenedofficesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.windows.net/common/oauth2/authorizeckerofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.yammer.comofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                		high
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                  		high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveAppofficesetup.exe, 00000003.00000002.3878933219.0000000003332000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000332D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://lookup.onenote.com/lookup/geolocation/v1EventFofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksalofficesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139761439.0000000004C38000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C51000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115645976.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109317874.0000000004C3C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111170089.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109350726.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140397405.0000000004C4B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110383678.0000000004C50000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://substrate.office.com/Notes-Internal.ReadWriteJofficesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://messagebroker.mobile.m365.svc.cloud.microsoftofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://edge.skype.com/registrar/prodofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                            		high
                                            https://login.windows.net/common/oauth2/authorizeayofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://res.getmicrosoftkey.com/api/redemptioneventsofficesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://tasks.office.comofficesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102947035.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2102911041.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2101376992.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                		high
                                                https://login.windows.net/common/oauth2/authorizeGates1officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://substrate.office.com/M365.Accessssadofficesetup.exe, 00000003.00000003.2121487639.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121208483.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048EB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139707126.00000000048EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonInitofficesetup.exe, 00000003.00000002.3882855465.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119765816.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://my.microsoftpersonalcontent.comofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://store.office.cn/addinstemplateofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://otelrules.svc.static.microsoft1officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://edge.skype.com/rpsofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                        		high
                                                        https://login.windows.net/common/oauth2/authorizectionCofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://login.windows.net/common/oauth2/authorizeaseofficesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORTofficesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.windows.net/common/oauth2/authorizeeIncomLofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://login.windows.net/common/oauth2/authorizeid0officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                    		high
                                                                    https://www.odwebp.svc.msofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.cortana.ai6..;.-officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		low
                                                                    https://api.addins.store.officeppe.com/addinstemplateofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://graph.windows.netofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                      		high
                                                                      https://globaldisco.crm.dynamics.com:officesetup.exe, 00000003.00000003.2113430925.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115544366.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109229062.0000000004C60000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004C14000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117965995.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004C6B000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109104378.0000000004C29000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115079736.0000000004C2C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://login.windows.net/common/oauth2/authorizetynofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.officesetup.exe, 00000003.00000003.2107508009.000000000329B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://consent.config.office.com/consentcheckin/v1.0/consentsofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                              		high
                                                                              https://ic3.teams.office.comDBofficesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                		high
                                                                                https://api.cortana.ai3officesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://d.docs.live.netofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                • 0%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://login.windows.net/common/oauth2/authorizeidOofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://login.windows.net/common/oauth2/authorizetionaRa.tofficesetup.exe, 00000003.00000003.2120752847.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884066765.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120663141.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2121595661.00000000049A1000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120125750.000000000495E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ncus.contentsync.officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://login.windows.net/common/oauth2/authorizeagesofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://login.windows.net/common/oauth2/authorizeabledofficesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                          		high
                                                                                          http://weather.service.msn.com/data.aspxofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                            		high
                                                                                            https://api.diagnosticssdf.office.com/v2/fileBearerofficesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://d.docs.live.netKofficesetup.exe, 00000003.00000002.3884066765.0000000004A07000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139432109.00000000049F9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2120456590.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108640535.0000000004A0F000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113705452.0000000004A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://incidents.diagnostics.office.comODSIncidentsSdfUrlhttps://incidents.diagnosticssdf.office.coofficesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                		high
                                                                                                https://templatesmetadata.office.net/1officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                    		high
                                                                                                    https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2Azurofficesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://pushchannel.1drv.msofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                        		high
                                                                                                        https://login.windows.net/common/oauth2/authorizebledofficesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.officesetup.exe, 00000003.00000003.2107323740.00000000047F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonOofficesetup.exe, 00000003.00000003.2108158532.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2116978985.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119931905.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138260687.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2139330326.00000000033E8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3879582452.00000000033E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://onedrive.live.com/embed?iiscofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://wus2.contentsync.officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108474205.0000000004796000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://login.windows.net/common/oauth2/authorizedofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.windows.net/common/oauth2/authorizeeofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883681385.00000000048CD000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138488273.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878933219.000000000336C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorizegofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearerofficesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com/api/v1.0/me/Activitiesofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize_officesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.net/common/oauth2/authorizeeceiveofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.odwebp.svc.msomofficesetup.exe, 00000003.00000003.2115448668.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138086473.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107323740.0000000004813000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3883358917.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110868557.00000000047F8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117819895.0000000004807000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117207907.0000000004804000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113576949.0000000004788000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108316375.0000000004817000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115346556.0000000004795000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://clients.config.office.net/user/v1.0/android/policies84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                              		high
                                                                                                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workhttps://login.windows.net/common/oauofficesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://messaging.lifecycle.office.com/getcustommessage16StoreUserStatushttps://odc.officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorizemeterofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.openssl.org/support/faq.htmlSecuriteInfo.com.Trojan.Agent.19085.17583.exe, 00000000.00000003.2072294151.0000023755061000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000000.2075698144.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe, 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmp, officesetup.exe.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://messaging.lifecycle.office.com/getcustommessage16MBI_SSL_SHORTmessaging.lifecycle.office.comofficesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.microsoftonline.comofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorizengeofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://substrate.office.com/search/api/v1/SearchHistoryofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138643545.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111224699.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117329267.0000000004C08000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2109384763.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2115936508.0000000004C05000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                                                		high
                                                                                                                                                https://webshell.suite.office.comPIntofficesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://login.windows.net/common/oauth2/authorize:officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.windows.net/common/oauth2/authorizenglofficesetup.exe, 00000003.00000003.2138841637.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107508009.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3878680937.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2112104929.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140430993.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108671524.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2118693235.00000000032E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://clients.config.office.net/ledofficesetup.exe, 00000003.00000002.3878160329.000000000326A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://invites.office.com/Bearerofficesetup.exe, 00000003.00000003.2107475100.00000000047BC000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2107427233.0000000004788000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://login.windows.net/common/oauth2/authorize?officesetup.exe, 00000003.00000002.3876994770.0000000001384000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://login.windows.net/common/oauth2/authorize1officesetup.exe, 00000003.00000003.2108782006.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2138359022.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2108399558.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117519442.0000000004CA8000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111843616.0000000004CAA000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2110686315.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000002.3884965002.0000000004CA5000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2111014372.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2113430925.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2117247725.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2114341993.0000000004CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://devnull.onenote.comofficesetup.exe, 00000003.00000003.2107212620.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 84AD9063-7D4B-4EDA-8DA3-F20D3A848280.3.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://login.windows.net/common/oauth2/authorize-officesetup.exe, 00000003.00000002.3882855465.0000000004715000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2137775560.000000000470C000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119596374.0000000004710000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2119397562.00000000046DB000.00000004.00000020.00020000.00000000.sdmp, officesetup.exe, 00000003.00000003.2140775970.0000000004710000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high

                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public IPs

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                52.113.194.132
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                52.109.0.136
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                152.195.19.97
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		15133EDGECASTUSfalse
                                                                                                                                                                20.189.173.4
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                20.245.190.220
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                52.109.20.38
                                                                                                                                                                		unknownUnited States
                                                                                                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                Analysis ID:1425409
                                                                                                                                                                Start date and time:2024-04-13 15:35:09 +02:00
                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 9m 41s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Sample name:SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal52.evad.winEXE@4/21@0/6
                                                                                                                                                                EGA Information:
                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                HCA Information:Failed
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                Warnings

                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                No simulations

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                52.113.194.132phish_alert_iocp_v1.4.48 (27).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  phish_alert_iocp_v1.4.48 (23).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    phish_alert_iocp_v1.4.48 (22).emlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                      Fw EDI IMPLANTACI#U00d3N .emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                        Confidential_ New 2024 commission and agreement needs signature _ %255.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                          statapril2024-7320.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                            30ab11853092ccfc7359bb9cf99fe27b2179a1dc11037515b9367b6c28395850.zipGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                              Quarantined Messages.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                message (2).emlGet hashmaliciousFake CaptchaBrowse
                                                                                                                                                                                  message (1).emlGet hashmaliciousFake Captcha, HTMLPhisherBrowse
                                                                                                                                                                                    152.195.19.97Dot_ Microsoft Password Expired Wednesday, January 24, 2024.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      http://loveevamk.lifeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FInfinitygroup/NxXfJ70594NxXfJ70594NxXfJ/c3VwcG9ydEBpbmZpbml0eWdyb3VwLmNvLnVrGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              https://editioncnn.anniesnewburypport.com/c2FsZXNAY2VudHJhbGlhbi5jb20uYXU=Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                https://autode.sk/3xAlkplGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                  Ofsoptics-Documents734.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FAspenleafenergy/MGJeH92547MGJeH92547MGJeH/ZXJpYy5maXNjaGVyQGFzcGVubGVhZmVuZXJneS5jb20=Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                      2024 Lcatterton Tom.lacalamito 401K Contribution-380932.docxGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                        20.189.173.4https://myworkspacea9fc6.myclickfunnels.com/onlinereview--6a2cc?preview=trueGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          original (1).emlGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                                                                                                                                                            https://dovenest1-my.sharepoint.com/:f:/g/personal/andy_mottershead_dovenest_co_uk/EqT_gsDs1IBFjGAuhcxIv8cBxnpXyR5sOaffrWIOFzHmtQ?e=UL2sF0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                              https://vk.com/away.php?to=https%3A%2F%2Fhhu.tmw.temporary.site%2Fwp-includes%2Fmyevri&post=809587144_14&cc_key=Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                Employee f.colgan 2024 Pay Amendments D767104-0000.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  https://www.microsoft.com/en-us/download/details.aspx?id=35460Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    TAX INV_No. 68430304.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                      https://www.officence.com/nam/d22d141f-ae37-447f-acfa-2e1d0e5b4969/5b612265-0eea-4eb4-af80-6e0eff5a34f2/9bba8c17-6f40-430f-a99e-bc600154d01c/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        RFQ_2304-PM.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          Q1-DAILYCER-10-2023-015-02-E1.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            52.109.20.38march19-D5116-2024.xlsxGet hashmaliciousMailPassViewBrowse
                                                                                                                                                                                                                              https://mcusercontent.com/f90a94ab9a71ed8b1e1a19a83/files/8ccc582d-8aae-bd3f-bfa2-daed6ec1206a/REBA_Retreat_2024.icsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                verd#U00e4chtige Mail.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  Payment_Firstontario_colin@firstontario.com 19 February 2024.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    Download Document (1).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                      Biolegend Announcement No.680213 Export Control Checklist DD Slip February 24..emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        7a114b0a-c4d0-5e31-6bbb-143ac163fc70.emlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                                                          http://email.robly.com/ls/click?upn=IdEuq0w5NGjcvp67fJm0FqVTQ0ij603iPnfupJD-2FelOm7mzDqIzkkPZ9y1qlD-2BN7igWw_lTq8dHXwfrTa-2Fti45-2F0nOuGVSGvewbIXOZlg2lVoA-2BYApQ8ioLUCiZz2PrX5XEmwKmAtPBQRRbzNc7cOH5y-2FrtT9-2BQ1oo-2B0nQl7Yl95zqglKuMsxQJTxa-2BfKn-2BIgDjZrpPGHs6alnvbQClqhkqwrWIE77Nauyn0MWHM5rJX-2B931Z0ppd-2BqCj75mS8GYwIWD7hq86ATXLNDYKfENUoU7f1o8htQu2N0fMOeKCeTsoEaCo0ygcanGvn8GK8ndVK1Z42iZ4q1xsgCU2dR9VFm70ev9l-2Fp7CanEMe-2BKgPUkN-2Fwt0Q-2F11N5y0kJ8U1wHI1GGeaDnAMoNtF9Uwe4hi-2BdqnKWGSPXW8a3SMAp5bKJoHMzbtch6EiePpj9SfQ3QmlhXV6N-2FRlWQgtIQyxDBWCGB8H9ooF0C1WjO783nBC6Ym8kc-2BdtVTLtScOOD-2FtD87tuKMJtwAXzfSzTfYkU1X-2B7rMBsVnlN5kQsxxnP78jnMjEB0fQEfos6GjCkFaTmIkW9eN#lol+cogrady@aercap.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            https://cloudflare-ipfs.com/ipns/k51qzi5uqu5di1pvom5sty08oxokxbi92oxxmyjh7lek3x8qpvzkhzwit4d4ny/?email=atm@inpi.ptGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              phish_alert_iocp_v1.4.48.emlGet hashmaliciousHTMLPhisherBrowse

                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSpL7jDJb2G6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.76.64.152
                                                                                                                                                                                                                                                kGbjOmkleq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.103.174.199
                                                                                                                                                                                                                                                qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.101.153.67
                                                                                                                                                                                                                                                51rzFTJnAX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 40.100.100.133
                                                                                                                                                                                                                                                UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.183.227.20
                                                                                                                                                                                                                                                uPGFD6puIk.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.84.111.153
                                                                                                                                                                                                                                                TvB0i1SBvy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 52.96.223.127
                                                                                                                                                                                                                                                xQwEu422am.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 72.155.239.255
                                                                                                                                                                                                                                                YrwQEQwAlQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.90.15.226
                                                                                                                                                                                                                                                FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                                                • 13.107.137.11
                                                                                                                                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSpL7jDJb2G6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.76.64.152
                                                                                                                                                                                                                                                kGbjOmkleq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.103.174.199
                                                                                                                                                                                                                                                qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.101.153.67
                                                                                                                                                                                                                                                51rzFTJnAX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 40.100.100.133
                                                                                                                                                                                                                                                UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.183.227.20
                                                                                                                                                                                                                                                uPGFD6puIk.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.84.111.153
                                                                                                                                                                                                                                                TvB0i1SBvy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 52.96.223.127
                                                                                                                                                                                                                                                xQwEu422am.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 72.155.239.255
                                                                                                                                                                                                                                                YrwQEQwAlQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.90.15.226
                                                                                                                                                                                                                                                FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                                                • 13.107.137.11
                                                                                                                                                                                                                                                EDGECASTUSHTTPS://tnfarmbureau.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.199.24.185
                                                                                                                                                                                                                                                HTTPS://tnfarmbureau.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.199.24.185
                                                                                                                                                                                                                                                https://www.idofea.org/idea-std-1010-inspection-standardGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.199.24.163
                                                                                                                                                                                                                                                https://yachtchartermarket.com/p/what-to-expect-at-the-tyba-yacht-charter-show-2024Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 72.21.91.66
                                                                                                                                                                                                                                                Dot_ Microsoft Password Expired Wednesday, January 24, 2024.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                                                                                http://loveevamk.lifeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.195.54.55
                                                                                                                                                                                                                                                https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FInfinitygroup/NxXfJ70594NxXfJ70594NxXfJ/c3VwcG9ydEBpbmZpbml0eWdyb3VwLmNvLnVrGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                                                                                https://wwwlkwmwm12m21mm211.z13.web.core.windows.net/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 152.199.4.44
                                                                                                                                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSpL7jDJb2G6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.76.64.152
                                                                                                                                                                                                                                                kGbjOmkleq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.103.174.199
                                                                                                                                                                                                                                                qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.101.153.67
                                                                                                                                                                                                                                                51rzFTJnAX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 40.100.100.133
                                                                                                                                                                                                                                                UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.183.227.20
                                                                                                                                                                                                                                                uPGFD6puIk.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.84.111.153
                                                                                                                                                                                                                                                TvB0i1SBvy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 52.96.223.127
                                                                                                                                                                                                                                                xQwEu422am.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 72.155.239.255
                                                                                                                                                                                                                                                YrwQEQwAlQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.90.15.226
                                                                                                                                                                                                                                                FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                                                • 13.107.137.11
                                                                                                                                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSpL7jDJb2G6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.76.64.152
                                                                                                                                                                                                                                                kGbjOmkleq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.103.174.199
                                                                                                                                                                                                                                                qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.101.153.67
                                                                                                                                                                                                                                                51rzFTJnAX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 40.100.100.133
                                                                                                                                                                                                                                                UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 20.183.227.20
                                                                                                                                                                                                                                                uPGFD6puIk.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.84.111.153
                                                                                                                                                                                                                                                TvB0i1SBvy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 52.96.223.127
                                                                                                                                                                                                                                                xQwEu422am.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 72.155.239.255
                                                                                                                                                                                                                                                YrwQEQwAlQ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 13.90.15.226
                                                                                                                                                                                                                                                FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                                                • 13.107.137.11

                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                C:\Windows\Temp\officesetup.exeOInstall.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  OInstall.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\84AD9063-7D4B-4EDA-8DA3-F20D3A848280

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):166203
                                                                                                                                                                                                                                                    Entropy (8bit):5.340910465338232
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:1536:T+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6g:CIQ9DQA+zqzMXeMJ
                                                                                                                                                                                                                                                    MD5:DB15AC11AB4223DE1934881B09758D29
                                                                                                                                                                                                                                                    SHA1:368DBB86308D5A0B63584B72DF5BFA782C98085C
                                                                                                                                                                                                                                                    SHA-256:F900E9ED778402CA449E388F02481ADA9B3D4FABA80949473E436B2DBD52E72F
                                                                                                                                                                                                                                                    SHA-512:916CA1D287522382E55CAC56DCF2F297135AB24F0C7D94A0C326CB31D9F5E2A8FACFA9864CAE720920F4AFFB240FC686409E5BB1D15E75B0A2EA1DDFC2C4BF09
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-13T13:36:07">.. Build: 16.0.17607.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                                                                                                    Entropy (8bit):0.03518686266386184
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:Gtl8/A+SZKMfKNEt94tl8/A+SZKMfKNEtltL89//Wlkl:GtGY+WX94tGY+WXlZ89Xis
                                                                                                                                                                                                                                                    MD5:50DB42A681112CB6798B04323649E340
                                                                                                                                                                                                                                                    SHA1:8B82A403E1FFB96018DBA7918CCB9A0CFB80EA0D
                                                                                                                                                                                                                                                    SHA-256:7F0723EBF5FEB79EDE6B0D168B28A5BA781C37C1F9CF06BBC4D3FFF8AEC970FA
                                                                                                                                                                                                                                                    SHA-512:1675E9532385DAE1E78FA40B7508928B50BE2F210903813EF7905E6BD63280FCC70407966468E904B89A2BAB91DB98BE391463C75923DF20F0267666E78C1E05
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:..-.....................;...VcQ.4o....c.....^...-.....................;...VcQ.4o....c.....^.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-wal

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):4152
                                                                                                                                                                                                                                                    Entropy (8bit):1.3862186909066618
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:12:K2e3pBXgeywqtZeY4syJttJxUSo0x9DdN1tDEX4vcImm5RyZkFv4sbf:K2e3Tqt8VtbDBtDi4kZERDf
                                                                                                                                                                                                                                                    MD5:DDBFB2D46FBB80C599AE2E92BE6AAEAB
                                                                                                                                                                                                                                                    SHA1:62AD456DEE1547E889F2A0AA52AB605DD8A82125
                                                                                                                                                                                                                                                    SHA-256:E558C9B507CDC103AB1CA2FFF4FC000637828223D85301405B2FE88507BDC533
                                                                                                                                                                                                                                                    SHA-512:5D5C83A6B911DF06C6C0D196F83E63ACC8C6F7E8BF1C23B72926876C3579157F03521B6AB328BBDDED21B2E8511C0E1F361DAE86007880AA8426C875F4A197F3
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:7....-...........4o....V7.R..$.........4o.....;QcV.SQLite format 3......@ .......................................................................... ..........#.....g............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\818225-20240413-1536.log

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (2483), with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):245142
                                                                                                                                                                                                                                                    Entropy (8bit):3.856883893419895
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:1536:OBukp5+CBQtCYk237PvkMRK8Os6dJ8RO8mX05u3Sc2DtzMxqp0W6xZBYTF+GjM8D:OcvF
                                                                                                                                                                                                                                                    MD5:B4AB2EB3E2AE7843240C91FB6B8B40A7
                                                                                                                                                                                                                                                    SHA1:FF263A7E12C223BF59E09CCCCC99D633863FA4B3
                                                                                                                                                                                                                                                    SHA-256:ECDF520E5064FDCC8785C7D92BB714A301AFA6FAC51CC360E2754B8685336616
                                                                                                                                                                                                                                                    SHA-512:ABFD6A412E8C62EB0CCE06FE19F0138190B7AC59CDAD13AB95121948CF0C03D018CD955C1D990277866704210D8A7815D587AD1BEE0C0D5B4ABFBBBE6F719BF2
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:..T.i.m.e.s.t.a.m.p...P.r.o.c.e.s.s...T.I.D...A.r.e.a...C.a.t.e.g.o.r.y...E.v.e.n.t.I.D...L.e.v.e.l...M.e.s.s.a.g.e...C.o.r.r.e.l.a.t.i.o.n.....0.4./.1.3./.2.0.2.4. .1.5.:.3.6.:.0.4...8.3.8...O.F.F.I.C.E.~.1. .(.0.x.1.6.0.8.)...0.x.2.3.c.....C.l.i.c.k.-.T.o.-.R.u.n. .G.e.n.e.r.a.l. .T.e.l.e.m.e.t.r.y...a.q.k.h.c...M.e.d.i.u.m...I.n.i.t.L.o.g.g.i.n.g. .{.".M.a.c.h.i.n.e.I.d.".:. .".b.2.d.f.2.e.3.5.5.e.3.c.0.2.4.9.9.1.f.2.8.6.e.1.9.a.9.5.b.9.c.3.".,. .".S.e.s.s.i.o.n.I.D.".:. .".0.9.7.c.7.7.f.b.-.5.d.5.d.-.4.8.6.8.-.8.6.0.b.-.0.9.f.4.e.5.b.5.0.a.5.3.".,. .".G.e.o.I.D.".:. .2.2.3.,. .".V.e.r.".:. .".0...0...0...0.".,. .".C.2.R.C.l.i.e.n.t.V.e.r.".:. .".1.6...0...1.5.7.2.6...2.0.1.8.8.".,. .".C.o.n.t.e.x.t.D.a.t.a.".:. .".{.\.".A.p.p.V.V.e.r.s.i.o.n.\.".:.\.".0...0.\.".,.\.".B.i.t.n.e.s.s.\.".:.\.".3.2.\.".,.\.".C.o.m.m.a.n.d.L.i.n.e.\.".:.\."./.d.o.w.n.l.o.a.d. .C.:.\.\.\.\.W.i.n.d.o.w.s.\.\.\.\.T.E.M.P.\.\.\.\.O.f.f.i.c.e...x.m.l.\.".,.\.".E.x.e.V.e.r.\.".:.\.".1.6...0...1.5.7.2.6...2.0.

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\MasterDescriptor.x-none.xml

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):35863
                                                                                                                                                                                                                                                    Entropy (8bit):4.755386699585551
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:768:1XysJ3mZ8xJpSfwQJryWj/0j8xePOUQdLudiROO5yptSEelAabIBs7GX9kL7OwNq:pJ
                                                                                                                                                                                                                                                    MD5:0638822CE22108C046C21A14AE6DF81A
                                                                                                                                                                                                                                                    SHA1:F76523A62757D2E5688D3F1C68C190ABA651ED6A
                                                                                                                                                                                                                                                    SHA-256:B31E4DDAA85B003CCFFEE514D2CCA067F8E92A1BB01223C026F6425C558EAF3E
                                                                                                                                                                                                                                                    SHA-512:CEFAD26F24A31EB8A98F277BD8E4332AC1F63AB76005BD6EDA82C5C4EF707A8800FA1138837220BC934A28D688B757874FA171A4A7756A7D8CADCDAC470D7004
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<descriptor version="16.0.14332.20685">.. <Properties>.. <Property name="PackageVersion" value="16.0.14332.20685" />.. <Property name="PackagePlatform" value="x64" />.. <Property name="CultureProductType" value="Full" />.. </Properties>.. <Apps>.. <App id="Access" target="root\office16\msaccess.exe">.. <Packages>.. <Package ID="Access.x64.x-none.16" />.. </Packages>.. </App>.. <App id="DCF">.. <Packages>.. <Package ID="DCF.x64.x-none.16" />.. </Packages>.. </App>.. <App id="Excel" target="root\office16\excel.exe">.. <Packages>.. <Package ID="Excel.x64.x-none.16" />.. </Packages>.. </App>.. <App id="Groove" target="root\office16\groove.exe">.. <Packages>.. <Package ID="Groove.x64.x-none.16" />.. </Packages>.. </App>.. <App id="Lync" target="root\office16\lync.exe">.. <Packages>.. <Package ID="Lync.x64.x-none.16" />.. </Pac

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\i640.c2rx.hash

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):134
                                                                                                                                                                                                                                                    Entropy (8bit):3.0740279576913396
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:QnNluL0aZUlaRlQlRhMnmljlNR4rUkphlP9kkyU4MlQIlklb1gG:Qnr4UluQlHMnmlZNur30kyQKIlklbeG
                                                                                                                                                                                                                                                    MD5:97362E01C8B7AAEEE9ADF6FE629511B5
                                                                                                                                                                                                                                                    SHA1:FA173221F1AFD6FDE8F4B20E9A7274E43BDE1A39
                                                                                                                                                                                                                                                    SHA-256:B8B1E88AA830173F28D9846019A9077C2B45DD424C361FE4068F74C08EF7AD96
                                                                                                                                                                                                                                                    SHA-512:901989B9BBE72F04E7BB25E1BF4957DF2A61F401B35B26575FDBF7B68FECA4603293194B2977013E3C0C3DB4668D523EDA22374B1BCBBF773EA021493B83B7B9
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:..5.7.2.E.C.A.D.4.C.3.8.F.1.3.8.4.5.4.D.1.0.8.C.F.1.9.4.D.1.6.9.4.1.0.4.2.F.B.D.0.4.D.1.2.A.E.C.F.5.1.5.3.B.0.E.2.3.5.7.A.F.B.2.E.....

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\s640.hash

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):106
                                                                                                                                                                                                                                                    Entropy (8bit):3.1117249985922757
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:Qk6J9lmjyrlDhlZXNMdlZvo52vSJUDlXRlXlrqlovn:Qk6GGxDUutaDhMlov
                                                                                                                                                                                                                                                    MD5:71958325F70C2A21037AD51270EAA8FC
                                                                                                                                                                                                                                                    SHA1:C9624BC648955233994AE4391CE1925FFCB37B62
                                                                                                                                                                                                                                                    SHA-256:95DFB66E142466F4D1EA55388CA496C9097205E4C7BD9819933D6E320019A04F
                                                                                                                                                                                                                                                    SHA-512:1662B2648269A0EF07D6A686145E44C5627AF697E7D8D3648EE3B76E4CBAA42A048164971ED53621FD2B4366F94C1C75C5D2420D2254F3417CBDF3E7B3DB20DA
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:..A.A.0.9.5.B.C.F.B.9.1.F.3.2.4.D.C.5.2.2.3.B.D.4.F.3.3.9.E.4.5.F.....1.6...0...1.4.3.3.2...2.0.6.8.5.....

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\stream.x64.x-none.dat.cat

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):636025
                                                                                                                                                                                                                                                    Entropy (8bit):6.800952370359779
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:6144:has6s6mCOO3+YDjzOzOmFr9PKi9iw/2x1OkMDq:haRAPX/pm
                                                                                                                                                                                                                                                    MD5:0850B08F78AAB5D5A4DCD6944B50D488
                                                                                                                                                                                                                                                    SHA1:7223391BDC5186E548EEDD97A8B692C1C6FD5701
                                                                                                                                                                                                                                                    SHA-256:C4D5D58C94B6EC282ECC3E0A4382D13210C006F6430FEB8E099F08DDC5FCF975
                                                                                                                                                                                                                                                    SHA-512:9D56C4085C39D1F91BA7A6E73829B7010B1501BE7853D929E6ECFD8AEF877F9DDF3691D4D83A65AB9896F6FD8D560B02EB1936DDD58303B80B3CF73C47C04890
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:0...t..*.H..........d0..._...1.0...`.H.e......0......+.....7.......0....0...+.....7.....rkOZ.?.C.m....z@..240327093951Z0...+.....7.....0...T0... .&..%..k?....L.pT..O..'...7`..z1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .&..%..k?....L.pT..O..'...7`..z0... .&..%..k?....L.pT..O..'...7`..z1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .&..%..k?....L.pT..O..'...7`..z0*...?...;...9......].?1.0...+.....7...1...0*...Kc.Hv...(y..g.~$.E1.0...+.....7...1...0... .N...4..?.+..Z....]~.Y2..s2.n.1i0...+.....7...1...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .N...4..?.+..Z....]~.Y2..s2.n.0... .N...4..?.+..Z....]~.Y2..s2.n.1i0...+.....7...1...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .N...4..?.+..Z....]~.Y2..s2.n.0... .\@rR*.Vi.n..b.z.@.3....I%.~.}.w1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .\@rR*.Vi.n..b.z.@.3....I%.~.}.w0... .\@rR*.Vi.n..b.z.@.3...

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\stream.x64.x-none.db

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):1409692
                                                                                                                                                                                                                                                    Entropy (8bit):7.989304019057786
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:24576:YmyVpaeKw63wacVi38hW/T8k9OMpemu/il7CltdQ30MiCj3hAaJvggN4BiWL6W9S:YmyVpaekxcViPY/il7CltdLfCjLxGRLW
                                                                                                                                                                                                                                                    MD5:6791FD2FC2AAB7A333419BEDB4BB1C38
                                                                                                                                                                                                                                                    SHA1:EB9B11347FE7227C45A73060B5075B2172B49D19
                                                                                                                                                                                                                                                    SHA-256:27ADBAB43F274776F79649E8CACD694D2DED0EBEC9A0D97E8970C1AE7412BAE6
                                                                                                                                                                                                                                                    SHA-512:68AB6541BE9E2FBABD745D4B2F09113DD29DA4356E1B6448ADAEAF17348A29FED6F802902E30F007DC2B936F0CC6FB08E33688C79508ED4ABF17670C9C28016F
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:C2RxUnityDB.0.P...0.........0... .....2.........)CV..D.7e..<..M.i.B?L.....I...1.3.53.bee28ef4b5d08b655523e7c0299b5267a5b1865f.x....J.-...".y......z........K..@...|.....hr.s..J..H1.7s..>}8Z......Q\....E...y._.*._.(x..i...w..u....".....5!. x....._......-....Eu...d.?.&K_.zq|?.;p........?..~q..w.xm....e.c.......?/.......Y[7..^.{..^..KS.KP...9....7q..m3... .l.gsP...r....2Y./.X..._.gk#.7/....S^...%._^._'..Y.xM..?.>..K..$...5...........^.....GQ.....(..=}.TN^;..y6|-.j..i.S..z.q.U...(..;../...8.4,..)^......N......x....Y<......E......s^I35.V.........L.5..o.F..eo&..MM......YS7[~.....2&..r.)..NSq...~..O.$(.9 N...3m..~b.K9.x...Y...[_<>.I..........?....E?....0..0....J^._^..n.(.......x...n...W.g'..{QU.S.>..._.?.W..A.L3.:....^..^....i.......m./..(..>u.9..g...~..c.Zj./....a......./;.x...........q..4.b.'..../..1w..._..........._......M....i.....A.G.......B..|.t'.c0....S...8.`.D.X.cj...N..qP.-....<..._.d~....]....5.'R. ....]y...fN..s......^.....:]QM>

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\stream.x64.x-none.hash

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):128
                                                                                                                                                                                                                                                    Entropy (8bit):2.910811696505773
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:E+iJgl1Z8bHnxRlRn6l6TWwSTWl5XHF7kRK6528Zn:E+iJglL8bX6wpl5Vh602n
                                                                                                                                                                                                                                                    MD5:6F8E2E04450C7A859E1B1506762E9362
                                                                                                                                                                                                                                                    SHA1:169BB1498793AF0BD2AD24586329F43554F7FCC0
                                                                                                                                                                                                                                                    SHA-256:6ACC726FAC93BC1C1CADFAF5D76DF76BC063EB06519AE65FDFF93006BE1C5A4A
                                                                                                                                                                                                                                                    SHA-512:2F61219122BFD5EA8374A9BA928C420A31FA04B2FFFC82EBDC00267A22AD74E3FBECC1A5199C3FD0C4C834B3419206AB2EFB87A08C83ECC509E2601F4066EED1
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:6.7.C.3.5.3.A.7.E.2.F.1.E.9.E.0.7.8.B.0.B.0.5.1.4.4.3.1.9.F.F.3.6.4.9.A.7.5.7.D.4.8.3.8.8.9.E.F.6.B.9.9.D.3.4.5.9.3.7.F.E.8.1.F.

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2R5263C98D-4087-4AB4-8560-7DE72B81CB42\stream.x64.x-none.man.dat

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):3470826
                                                                                                                                                                                                                                                    Entropy (8bit):3.936249445534653
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:24576:ESpnk5hC5nqzk59ZRZE8feTmhvGE3SzMTRX:EAKQZikTbIT9EuWV
                                                                                                                                                                                                                                                    MD5:3B17AB59B338CB711177B805B96C4CC6
                                                                                                                                                                                                                                                    SHA1:C09EED3B63436A8B76AD1E3CAADD5D6609FE05E0
                                                                                                                                                                                                                                                    SHA-256:B80D369E282785710AE4387DA6B2A91DEA44C3A1439330A7374617724629B2CE
                                                                                                                                                                                                                                                    SHA-512:85BF4F8F848FC994FCA6D906BA4B77C8227405AEED91F930F0F87E42BAF3EF744E1EB1D5AA1FEBC845A39426EA3B5B1D52FF1557B7BD04A66AEA95D3C3788892
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:.........r..p%....3.9..c0?..T..r.........'.r.o.o.t.\.O.f.f.i.c.e.1.6.\.A.D.D.I.N.S.\.P.o.w.e.r.P.i.v.o.t. .E.x.c.e.l. .A.d.d.-.i.n.\.M.i.c.r.o.s.o.f.t...D.a.t.a...C.o.n.n.e.c.t.i.o.n.U.I...D.i.a.l.o.g...d.l.l....*..#..r...........r.o.o.t.\.C.L.I.P.A.R.T.\.P.U.B.6.0.C.O.R.\.J.0.3.0.1.0.5.2...W.M.F...Dg!.,.#s...........P.a.c.k.a.g.e.M.a.n.i.f.e.s.t.s.\.A.p.p.X.M.a.n.i.f.e.s.t...c.o.m.m.o.n...1.6...x.m.l....M....^s...........r.o.o.t.\.L.i.c.e.n.s.e.s.1.6.\.M.o.n.d.o.R._.O.E.M._.P.e.r.p.-.u.l.-.p.h.n...x.r.m.-.m.s...X......s...........r.o.o.t.\.O.f.f.i.c.e.1.5.\.p.i.d.g.e.n.x...d.l.l.......#..s...........r.o.o.t.\.v.f.s.\.F.o.n.t.s.\.p.r.i.v.a.t.e.\.C.A.L.I.S.T.I...T.T.F....l..W..t........@.(r.o.o.t.\.v.f.s.\.P.r.o.g.r.a.m.F.i.l.e.s.C.o.m.m.o.n.X.6.4.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.F.i.l.t.e.r.s.\.a.p.i.-.m.s.-.w.i.n.-.c.r.t.-.m.a.t.h.-.l.1.-.1.-.0...d.l.l.........Jt.......*N.7r.o.o.t.\.O.f.f.i.c.e.1.6.\.E.M.A.B.L.T.3.2...D.L.L....M..#..t...........r.o.o.t.\.C.L.I.P.A.R.T.\.P.U.B.6.0.C

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2RE61BCBB9-D6D6-44C1-8EAD-7CD1BCE9871AOfficeC2RF6508A74-AA3E-4668-A413-AD608DF03838\VersionDescriptor.xml

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):12504
                                                                                                                                                                                                                                                    Entropy (8bit):4.895471929617305
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:96:VBjDj5O8qwEyY/FGB/Ao95UR4a9DMnOKacKaLKahKae6jfg2xtyY/qNTcxOvwGB5:z16J
                                                                                                                                                                                                                                                    MD5:5CBF403FF90D485EED1AF1CE76B068A6
                                                                                                                                                                                                                                                    SHA1:CE3791BDF83C5BEBB370C71E486327F721D7C7E7
                                                                                                                                                                                                                                                    SHA-256:8B3F65259AB84BC02C13D7A1D027C79FB7C82C1441A5B898726DBF26AB023C51
                                                                                                                                                                                                                                                    SHA-512:11CBBE20D64FA45AC5C57559D4069EEB7F417B21B0675D930CBA480643CDEC36BA57885DE90A3C80A050E0216BCF00B51FCB7B83699E22286B74A645D5AD6BC3
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<Version>.. <Available Build="16.0.14332.20685" I320Hash="E09BA7D19ED3DA6152F773CFBA9B78E0" I640Hash="ECDA3EFFD1E4F94E6636570328A4AA76" I320Version="16.0.14332.20685" I640Version="16.0.14332.20685" />.. <SecurityFixes LastBuild="" />.. <Throttle Value="1000" />.. <RequiredClientVersion Build="15.0.4446.1000" />.. <MinUpgradeBuild Build="16.0.0.0" />.. <Prereq>.. <MinOSVersion Build="6.1.0|6.2.0" FailMessage="NoMinOS" />.. <SxS32_64 NonBlocking="002A|0116|0043|0021|00A4|0070|0026|0032|0045|0046|00F5|00F6|0132|0133|007E|008F|008C|00B9|00DD|00C1" Blocking="003F|0020|00D1|00AF" OnDemand="False" FailMessage="SxS32_64Block" />.. <PreRelease Build="15.0.4419.1000" OnDemand="False" FailMessage="PreReleaseFound" />.. <MinClientVersion Build="15.0.4446.1000" FailMessage="ClientUpdateRequired" />.. <MinBootstrapperVersion Build="16.0.0.0" FailMessage="NewBootstrapperRequired" />.. <DiskSpace SysDrive="50000000" OnDemand="False" Fa

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2RE61BCBB9-D6D6-44C1-8EAD-7CD1BCE9871AOfficeC2RF6508A74-AA3E-4668-A413-AD608DF03838\v64.hash

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):106
                                                                                                                                                                                                                                                    Entropy (8bit):3.134031866296052
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:QXrL7tKg7tSKanlHizPIlXyl90JUDlXRlXlrqlovn:QXrNKgkDCzPYil90aDhMlov
                                                                                                                                                                                                                                                    MD5:B9A886CE2E346F5BA10D4E9450FAABC9
                                                                                                                                                                                                                                                    SHA1:ED05F5C42D85972BFF4FBE6E0B0847350DC4EECC
                                                                                                                                                                                                                                                    SHA-256:90DDEDB96CA953C9B91CA57462033A8B414EC72DCDB89D5B3A77DD7254F3D0F3
                                                                                                                                                                                                                                                    SHA-512:E4F9860636EDE548B566A0D32BCEAD12AD9490176C2346A07EAB34661F478D3080FE0B4613BAEE16493FECE19E154A4A154C9E5130B762E6BFAC29593541D675
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:..0.0.6.7.4.C.4.D.A.C.1.E.F.9.C.7.D.E.E.1.0.A.B.D.4.3.D.0.9.2.6.2.....1.6...0...1.4.3.3.2...2.0.6.8.5.....

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2RE61BCBB9-D6D6-44C1-8EAD-7CD1BCE9871A\VersionDescriptor.xml (copy)

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):12504
                                                                                                                                                                                                                                                    Entropy (8bit):4.895471929617305
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:96:VBjDj5O8qwEyY/FGB/Ao95UR4a9DMnOKacKaLKahKae6jfg2xtyY/qNTcxOvwGB5:z16J
                                                                                                                                                                                                                                                    MD5:5CBF403FF90D485EED1AF1CE76B068A6
                                                                                                                                                                                                                                                    SHA1:CE3791BDF83C5BEBB370C71E486327F721D7C7E7
                                                                                                                                                                                                                                                    SHA-256:8B3F65259AB84BC02C13D7A1D027C79FB7C82C1441A5B898726DBF26AB023C51
                                                                                                                                                                                                                                                    SHA-512:11CBBE20D64FA45AC5C57559D4069EEB7F417B21B0675D930CBA480643CDEC36BA57885DE90A3C80A050E0216BCF00B51FCB7B83699E22286B74A645D5AD6BC3
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<Version>.. <Available Build="16.0.14332.20685" I320Hash="E09BA7D19ED3DA6152F773CFBA9B78E0" I640Hash="ECDA3EFFD1E4F94E6636570328A4AA76" I320Version="16.0.14332.20685" I640Version="16.0.14332.20685" />.. <SecurityFixes LastBuild="" />.. <Throttle Value="1000" />.. <RequiredClientVersion Build="15.0.4446.1000" />.. <MinUpgradeBuild Build="16.0.0.0" />.. <Prereq>.. <MinOSVersion Build="6.1.0|6.2.0" FailMessage="NoMinOS" />.. <SxS32_64 NonBlocking="002A|0116|0043|0021|00A4|0070|0026|0032|0045|0046|00F5|00F6|0132|0133|007E|008F|008C|00B9|00DD|00C1" Blocking="003F|0020|00D1|00AF" OnDemand="False" FailMessage="SxS32_64Block" />.. <PreRelease Build="15.0.4419.1000" OnDemand="False" FailMessage="PreReleaseFound" />.. <MinClientVersion Build="15.0.4446.1000" FailMessage="ClientUpdateRequired" />.. <MinBootstrapperVersion Build="16.0.0.0" FailMessage="NewBootstrapperRequired" />.. <DiskSpace SysDrive="50000000" OnDemand="False" Fa

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\OfficeC2RE61BCBB9-D6D6-44C1-8EAD-7CD1BCE9871A\v64.hash (copy)

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):106
                                                                                                                                                                                                                                                    Entropy (8bit):3.134031866296052
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:3:QXrL7tKg7tSKanlHizPIlXyl90JUDlXRlXlrqlovn:QXrNKgkDCzPYil90aDhMlov
                                                                                                                                                                                                                                                    MD5:B9A886CE2E346F5BA10D4E9450FAABC9
                                                                                                                                                                                                                                                    SHA1:ED05F5C42D85972BFF4FBE6E0B0847350DC4EECC
                                                                                                                                                                                                                                                    SHA-256:90DDEDB96CA953C9B91CA57462033A8B414EC72DCDB89D5B3A77DD7254F3D0F3
                                                                                                                                                                                                                                                    SHA-512:E4F9860636EDE548B566A0D32BCEAD12AD9490176C2346A07EAB34661F478D3080FE0B4613BAEE16493FECE19E154A4A154C9E5130B762E6BFAC29593541D675
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:..0.0.6.7.4.C.4.D.A.C.1.E.F.9.C.7.D.E.E.1.0.A.B.D.4.3.D.0.9.2.6.2.....1.6...0...1.4.3.3.2...2.0.6.8.5.....

                                                                                                                                                                                                                                                    C:\Windows\Temp\Office\Data\16.0.14332.20685\i640.cab

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Microsoft Cabinet archive data, many, 30024529 bytes, 123 files, at 0x44 "api-ms-win-core-file-l1-2-0.dll" "api-ms-win-core-file-l2-1-0.dll", flags 0x4, ID 15965, number 1, extra bytes 20 in head, 2850 datablocks, 0x1203 compression
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):30034241
                                                                                                                                                                                                                                                    Entropy (8bit):7.999931776542299
                                                                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                                                                    SSDEEP:786432:lUjY/KAfKGc44An0S+SSu09ETicCHg1K6bET2uShGxrUDt:lZIG34A0S+rujTwP2uSkxrot
                                                                                                                                                                                                                                                    MD5:5BD25CC955129597EC7519584EFC533E
                                                                                                                                                                                                                                                    SHA1:E0158B1A2538E8288BACDDE72EBC17D8607C3B21
                                                                                                                                                                                                                                                    SHA-256:ED60AE6996F8D8C5FCC48A662627FAE6152AD4A04BCBB954A5B0E0E926D69782
                                                                                                                                                                                                                                                    SHA-512:828E572839FF8E1D702EED03FA66956B56947B92B43EBC3C61E4B6E4C234F5F50638363F73F421F19169480B080D6A613C75AA11A2D700249EA012539B5FD1AF
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:MSCF....Q#......D...........{...]>..........Q#...%..........5..."....H.........R.]..api-ms-win-core-file-l1-2-0.dll..H...H.....R.]..api-ms-win-core-file-l2-1-0.dll..R.........R.]..api-ms-win-core-localization-l1-2-0.dll..J..@......R.]..api-ms-win-core-processthreads-l1-1-1.dll..J.../.....R.]..api-ms-win-core-synch-l1-2-0.dll..H...y.....R.]..api-ms-win-core-timezone-l1-1-0.dll.`-.........R.]..api-ms-win-core-xstate-l2-1-0.dll..L.........R.]..api-ms-win-crt-conio-l1-1-0.dll..X...<.....R.]..api-ms-win-crt-convert-l1-1-0.dll..J..`......R.]..api-ms-win-crt-environment-l1-1-0.dll..P.. ......R.]..api-ms-win-crt-filesystem-l1-1-0.dll..L...0.....R.]..api-ms-win-crt-heap-l1-1-0.dll..J...}.....R.^..api-ms-win-crt-locale-l1-1-0.dll..l..`......R.^..api-ms-win-crt-math-l1-1-0.dll..h.. 5.....R.^..api-ms-win-crt-multibyte-l1-1-0.dll............R.^..api-ms-win-crt-private-l1-1-0.dll..L.........R.^..api-ms-win-crt-process-l1-1-0.dll..Z..`......R.^..api-ms-win-crt-runtime-l1-1-0.dll..`.. Z.....R.^..api-m

                                                                                                                                                                                                                                                    C:\Windows\Temp\Office\Data\16.0.14332.20685\stream.x64.x-none.dat

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:zlib compressed data
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):1295908864
                                                                                                                                                                                                                                                    Entropy (8bit):7.997861042794959
                                                                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                                                                                    MD5:119C32332F6E7BAF7C24CB63B8BC02D0
                                                                                                                                                                                                                                                    SHA1:88395C0D31FAA52D251B0DF9FB30832CA861C596
                                                                                                                                                                                                                                                    SHA-256:44EB0F09C88F4DAA08DB17FA4AB4AB1C947F2EBA7464CD128E2B842FAE3A9758
                                                                                                                                                                                                                                                    SHA-512:90D181E2BAB6F76751B03D57495D836A48EFBBA76491283B0C7E55105444E24EAE9C4CA509C6A3FE4FA0A61FA78AA0C34B67EC3B203E9EC0474DF91455C0E91E
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:x..[.\...$.^.J...&t.........C .&*...."RE@...@E...Ti.."JQ..P.P........{.......f...gf......!.....T.....X9..??:.."|....o...............l...6$.O...."BD.CD..0".xo..33..W...[.....x..2._..._.........\.w:Y...w..PV?a....D..L...nMe6.9..z...r..B9...97.@...[..om._|.W.=..9l.D..5b....74..E.w..o...o,......Q..T_=.....p...U7..u..X._.......B6...V.C...{.P..<to.....P~E.y...Kb...!:.*.Py../PQ....].@e.t.e'..A.!.l.?28........pH.. .2..D#A.. @....q.......!. %..Z...h..................`.%6.g.'.......5.?..c.?....Y6.V..jd.W.~W.....o?.....2e{.Xkf..<..hLB.=.?1.....b...p+4...../.}.voO_r;...J.C.!...,......C.s.......F.*x.=.g>..._..l........c.B.:;....:.....`.XB..t6...G=...t` .62..[.......=.'...D....!./$....p......Cu.S.2T4(...-.....zP.` ..B.c m......$yAr.@8T|.g.Pj....3...CW!...l...g.C%..........@.?./."..w...].C.C.}..5r..B.$}o..4W......'.*...2$I....q.\.....H."_..,E.*..=.<FD.3B.....=..g8E..Z..xH......4..y<B.q#...z...s.....tG.....~..N.p...@$t..j..f..V_k...{u.B.T..@.joM....zA....4q.<...

                                                                                                                                                                                                                                                    C:\Windows\Temp\Office\Data\v64.cab

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1315 bytes, 2 files, at 0x44 +A "v64.hash" +A "VersionDescriptor.xml", flags 0x4, ID 35189, number 1, extra bytes 20 in head, 1 datablock, 0x1503 compression
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):11115
                                                                                                                                                                                                                                                    Entropy (8bit):7.53771510650643
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:192:SP1PxoCZJWEXCVWQ46WLxwVIX01k9z3ABZi2Q/w:opoCsER9zGFQI
                                                                                                                                                                                                                                                    MD5:3A12230A63D6E0F3D23DA96432CBE614
                                                                                                                                                                                                                                                    SHA1:3F0AC1336724A0C5123CD22054C243E3084504B0
                                                                                                                                                                                                                                                    SHA-256:E9CF71F94D087571BB3C2AA73E04CE7D40F5BB1F15E3A485D70956C896AE320A
                                                                                                                                                                                                                                                    SHA-512:F30331900D7F8110A30A104E09986A9C4009717E0AA35A0CC183EFBBB34397860F277239A493D09D524AE0CEE431405236D2C64817C05BD10E51E137D027A8D6
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:MSCF....#.......D...............u...........#...H&..................j..........X.f .v64.hash..0..j......X.f .VersionDescriptor.xml..R...B1[....."...3.53..mF0.})'.+..`....cfR.....5....A9...a.D.......@.. ...-H...5.... .^GU..E_..7..{h.1.VQ..@@..@.....D.7.x.q..............P.%7...T%.!..;.D."..-+./....H".....D...D1B$!d.L...%..........].$.G.L...g...j..D..-=.o...-...e`.[....$.@.d.eP.<...9.#O..Z..lQ..2.]lz...Vwk.h...Fpa$K..<V)s.|.Z"=.P.. %&..#...f8NF......q...Tm$1p.5..4.H:.2.8k....s.:.v.....#...Pe[.q|M5...G........>..a'N..............Qa.7N..k..%3V....[.I.......b......m....5alj40...;..-.~..Ua(.~..C....Il.I.:q....MRq2Ne...H....._.H/...:WU...=N.<..9.g.+Fmx..fN...N.(~.QC....j?.3g....T8...\.o;...>...^ML..<...Fk...Kk0*.y..hC.le2.l.r.~p.6uz.e...R.bCx5)Y./_.....-...U....3...-.p..U..3..a.....6..K.e....6..~%..6^.......7..m..S.R..6.....2....xO.y."=6.............I7.q......w!..B.......xt5...ME..eItl2.dBJ...........Q.{/...4..q..0GI.bz.....5...J.g..h.....&...!..

                                                                                                                                                                                                                                                    C:\Windows\Temp\Office\Data\v64_16.0.14332.20685.cab

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1315 bytes, 2 files, at 0x44 +A "v64.hash" +A "VersionDescriptor.xml", flags 0x4, ID 35189, number 1, extra bytes 20 in head, 1 datablock, 0x1503 compression
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):11115
                                                                                                                                                                                                                                                    Entropy (8bit):7.53771510650643
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:192:SP1PxoCZJWEXCVWQ46WLxwVIX01k9z3ABZi2Q/w:opoCsER9zGFQI
                                                                                                                                                                                                                                                    MD5:3A12230A63D6E0F3D23DA96432CBE614
                                                                                                                                                                                                                                                    SHA1:3F0AC1336724A0C5123CD22054C243E3084504B0
                                                                                                                                                                                                                                                    SHA-256:E9CF71F94D087571BB3C2AA73E04CE7D40F5BB1F15E3A485D70956C896AE320A
                                                                                                                                                                                                                                                    SHA-512:F30331900D7F8110A30A104E09986A9C4009717E0AA35A0CC183EFBBB34397860F277239A493D09D524AE0CEE431405236D2C64817C05BD10E51E137D027A8D6
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:MSCF....#.......D...............u...........#...H&..................j..........X.f .v64.hash..0..j......X.f .VersionDescriptor.xml..R...B1[....."...3.53..mF0.})'.+..`....cfR.....5....A9...a.D.......@.. ...-H...5.... .^GU..E_..7..{h.1.VQ..@@..@.....D.7.x.q..............P.%7...T%.!..;.D."..-+./....H".....D...D1B$!d.L...%..........].$.G.L...g...j..D..-=.o...-...e`.[....$.@.d.eP.<...9.#O..Z..lQ..2.]lz...Vwk.h...Fpa$K..<V)s.|.Z"=.P.. %&..#...f8NF......q...Tm$1p.5..4.H:.2.8k....s.:.v.....#...Pe[.q|M5...G........>..a'N..............Qa.7N..k..%3V....[.I.......b......m....5alj40...;..-.~..Ua(.~..C....Il.I.:q....MRq2Ne...H....._.H/...:WU...=N.<..9.g.+Fmx..fN...N.(~.QC....j?.3g....T8...\.o;...>...^ML..<...Fk...Kk0*.y..hC.le2.l.r.~p.6uz.e...R.bCx5)Y./_.....-...U....3...-.p..U..3..a.....6..K.e....6..~%..6^.......7..m..S.R..6.....2....xO.y."=6.............I7.q......w!..B.......xt5...ME..eItl2.dBJ...........Q.{/...4..q..0GI.bz.....5...J.g..h.....&...!..

                                                                                                                                                                                                                                                    C:\Windows\Temp\office.xml

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):1174
                                                                                                                                                                                                                                                    Entropy (8bit):5.052208421294447
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:24:VKcl5lEcl5ltcl5lqcl5lsrcl5l4t0SAYJ1kWbmWkBcWlf3:VKOzEOztOzqOzoOz4tbJ1kqmHBcG
                                                                                                                                                                                                                                                    MD5:9BF0A18ACC1DDB07536AE9612168FE02
                                                                                                                                                                                                                                                    SHA1:ABAFCC5CC6A14BC6DCB1B4ADB398F0440C0D083D
                                                                                                                                                                                                                                                    SHA-256:EC00D029ED45C631749344400F50BDC3A63E17284DBA6CC410F3B5D19383FB64
                                                                                                                                                                                                                                                    SHA-512:500488A8B1D0CFDFF6D26D651015C21B2C6E7CB26BB65CDE481FB226A4FEEAF42D44E09EA51841B83F4BEB5F5CBD14E8495C181C11B2E774AD1A06A18EA6D782
                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                    Preview:<Configuration>.. <Add OfficeClientEdition="64" Channel="PerpetualVL2021" ForceUpgrade="TRUE">.. <Product ID="ProPlus2021Volume">... <ExcludeApp ID="OneDrive" />.. <Language ID="en-US" />.. <Language ID="da-DK" />.. </Product>.. <Product ID="VisioPro2021Volume">... <ExcludeApp ID="OneDrive" />.. <Language ID="en-US" />.. <Language ID="da-DK" />.. </Product>.. <Product ID="ProjectPro2021Volume">... <ExcludeApp ID="OneDrive" />.. <Language ID="en-US" />.. <Language ID="da-DK" />.. </Product>...<Product ID="Word2021Volume">... <ExcludeApp ID="OneDrive" />.. <Language ID="en-US" />.. <Language ID="da-DK" />.. </Product>...<Product ID="ProofingTools">... <ExcludeApp ID="OneDrive" />.. <Language ID="en-US" />.. <Language ID="da-DK" />.. </Product>.. </Add>.. <Remove All="True" />.. <RemoveMSI All="True" /> .. <Updates Enabled="True" Channel="PerpetualVL2021" />.. <Display Level="Full" AcceptEULA="True" /> ..

                                                                                                                                                                                                                                                    C:\Windows\Temp\officesetup.exe

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):7420784
                                                                                                                                                                                                                                                    Entropy (8bit):6.566882354472156
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:196608:LQtpIsOE1/oL8VsPbs9BFZu0fkL7RqbLE81A5EvGNi:LQ4sOEVYPiFZu08uE81A5Ev5
                                                                                                                                                                                                                                                    MD5:2D87CE389DB6F9F4F2BB7AECF64042A9
                                                                                                                                                                                                                                                    SHA1:2A08974F6C23A1F2D3A12F57A43F0AA96B929266
                                                                                                                                                                                                                                                    SHA-256:29D0E8520D754AEBAE73ABF685B328D0EEB9BFF7DCFB909B51D846FEB290C84D
                                                                                                                                                                                                                                                    SHA-512:3F9AC7F0A3ADF0C57A7D2E370369B8595FA610DF354664EDC7722574D59C5CBC43DB94C5326DA6512B82AE0528A2F716A71D15822D22C151EA1216D85FC9137D
                                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                                    • Filename: OInstall.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                    • Filename: OInstall.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......l..(...(...(.......2...........H...<...H...4......./.......*...............).......?...(......H......M......M.......M.0.)...(.X.)...M...)...Rich(...................PE..L.....\c............... .~F..r*.....6.>......0G...@.......................... q......Qq...@.................................tyc.......g...............p.pM...@k.......c.8....................i]......lG.@.............F.l...t\c......................text...#}F......~F................. ..`.rdata..h.....F.......F.............@..@.data...L.....c.......c.............@....rsrc.........g.......g.............@..@.reloc.......@k.......k.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                    Entropy (8bit):7.828574241856043
                                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                    File name:SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                                                                                                    File size:3'092'254 bytes
                                                                                                                                                                                                                                                    MD5:ac59acaacf35b2521c866250d3ac9240
                                                                                                                                                                                                                                                    SHA1:7ffa05d5c82c5c1a98ca5382c7944b58284dc68e
                                                                                                                                                                                                                                                    SHA256:3bfddde240eb1c8295e0ededcc4905ff180c40a37625058b71ae280988a370e6
                                                                                                                                                                                                                                                    SHA512:ab668a32d21a2c362bf9b1db487c36bbc6fd81eeaa0c5e6bb8b31f02d274df38a3804892349168712b18698708a0a5e1e11ae346ef54a6de2af23a4974daae9c
                                                                                                                                                                                                                                                    SSDEEP:49152:yZB1G8YEdfMRzZKARC00ZxmzNqx4B72NW7wEoM0dURwrQtPsYK12TCQxWd2HDOE:Y3GIywARqxmz0x48NEotuBPsYKiFM6l
                                                                                                                                                                                                                                                    TLSH:BCE51209F794CCE4E0FBD27889969712E3753C4913605A8F33D41AEB2F672AC9D2A750
                                                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                                    Icon Hash:0f43b1b1b1b01f0e

                                                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Entrypoint:0x140032e60
                                                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                    Time Stamp:0x65DC537B [Mon Feb 26 09:01:47 2024 UTC]
                                                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                                                                    OS Version Minor:2
                                                                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                                                                    File Version Minor:2
                                                                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                                                                    Subsystem Version Minor:2
                                                                                                                                                                                                                                                    Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                                                                    call 00007F8518E97F48h
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                                                                    jmp 00007F8518E978DFh
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov eax, esp
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov dword ptr [eax+08h], ebx
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov dword ptr [eax+10h], ebp
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov dword ptr [eax+18h], esi
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov dword ptr [eax+20h], edi
                                                                                                                                                                                                                                                    inc ecx
                                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                                                                                                    dec ebp
                                                                                                                                                                                                                                                    mov edx, dword ptr [ecx+38h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov esi, edx
                                                                                                                                                                                                                                                    dec ebp
                                                                                                                                                                                                                                                    mov esi, eax
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov ebp, ecx
                                                                                                                                                                                                                                                    dec ecx
                                                                                                                                                                                                                                                    mov edx, ecx
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov ecx, esi
                                                                                                                                                                                                                                                    dec ecx
                                                                                                                                                                                                                                                    mov edi, ecx
                                                                                                                                                                                                                                                    inc ecx
                                                                                                                                                                                                                                                    mov ebx, dword ptr [edx]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    shl ebx, 04h
                                                                                                                                                                                                                                                    dec ecx
                                                                                                                                                                                                                                                    add ebx, edx
                                                                                                                                                                                                                                                    dec esp
                                                                                                                                                                                                                                                    lea eax, dword ptr [ebx+04h]
                                                                                                                                                                                                                                                    call 00007F8518E96D63h
                                                                                                                                                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                    and al, 66h
                                                                                                                                                                                                                                                    neg al
                                                                                                                                                                                                                                                    mov eax, 00000001h
                                                                                                                                                                                                                                                    sbb edx, edx
                                                                                                                                                                                                                                                    neg edx
                                                                                                                                                                                                                                                    add edx, eax
                                                                                                                                                                                                                                                    test dword ptr [ebx+04h], edx
                                                                                                                                                                                                                                                    je 00007F8518E97A73h
                                                                                                                                                                                                                                                    dec esp
                                                                                                                                                                                                                                                    mov ecx, edi
                                                                                                                                                                                                                                                    dec ebp
                                                                                                                                                                                                                                                    mov eax, esi
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov edx, esi
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov ecx, ebp
                                                                                                                                                                                                                                                    call 00007F8518E99A87h
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov ebx, dword ptr [esp+30h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov ebp, dword ptr [esp+38h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov esi, dword ptr [esp+40h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    mov edi, dword ptr [esp+48h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    add esp, 20h
                                                                                                                                                                                                                                                    inc ecx
                                                                                                                                                                                                                                                    pop esi
                                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    sub esp, 48h
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                                                    call 00007F8518E862F3h
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    lea edx, dword ptr [000257C7h]
                                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                                    lea ecx, dword ptr [esp+20h]
                                                                                                                                                                                                                                                    call 00007F8518E98B42h
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    jmp 00007F8518E9ED24h
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3

                                                                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x35864.rsrc
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000x970.reloc
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                    .text0x10000x466ee0x4680027edb25a1bc32573014bf3adb5cecc24False0.536860039893617data6.469383562827248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .rdata0x480000x128c40x12a00cde5f7a0fae18bcdb38da9f29d7f3313False0.449834836409396data5.269838116965451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .data0x5b0000xe75c0x1a000a420650d3abfc14c296cd4945b33a1dFalse0.28260216346153844data3.2569573130951395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                    .pdata0x6a0000x306c0x320095c27b680fbce994429e951f39e7a9adFalse0.487734375data5.502914123440489IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .didat0x6e0000x3600x40053c09865fd6da5cc74254921d9575e3dFalse0.259765625data3.025278137091312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                    _RDATA0x6f0000x15c0x20058d3584c9c50f7594166c2ade479252fFalse0.40234375data3.307334517307356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .rsrc0x700000x358640x35a00a5f9888a74a5c37568574fab401d0339False0.2458251384032634data5.063060533509893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .reloc0xa60000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                    PNG0x708840x4a02PNG image data, 513 x 542, 8-bit/color RGBA, non-interlaced0.8109363454027235
                                                                                                                                                                                                                                                    PNG0x752880x4a02PNG image data, 513 x 542, 8-bit/color RGBA, non-interlaced0.8109363454027235
                                                                                                                                                                                                                                                    RT_ICON0x79c8c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.3870967741935484
                                                                                                                                                                                                                                                    RT_ICON0x79f740x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5405405405405406
                                                                                                                                                                                                                                                    RT_ICON0x7a09c0x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors0.29830747531734836
                                                                                                                                                                                                                                                    RT_ICON0x7b6c40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.3664712153518124
                                                                                                                                                                                                                                                    RT_ICON0x7c56c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.4223826714801444
                                                                                                                                                                                                                                                    RT_ICON0x7ce140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.34609826589595377
                                                                                                                                                                                                                                                    RT_ICON0x7d37c0x2a8aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9723599632690542
                                                                                                                                                                                                                                                    RT_ICON0x7fe080x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.1084191717468993
                                                                                                                                                                                                                                                    RT_ICON0x892b00x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1230827067669173
                                                                                                                                                                                                                                                    RT_ICON0x8fa980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.13867837338262476
                                                                                                                                                                                                                                                    RT_ICON0x94f200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15322390174775627
                                                                                                                                                                                                                                                    RT_ICON0x991480x3a48Device independent bitmap graphic, 60 x 120 x 32, image size 148800.16642091152815014
                                                                                                                                                                                                                                                    RT_ICON0x9cb900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.20062240663900416
                                                                                                                                                                                                                                                    RT_ICON0x9f1380x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 67200.23180473372781066
                                                                                                                                                                                                                                                    RT_ICON0xa0ba00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2568011257035647
                                                                                                                                                                                                                                                    RT_ICON0xa1c480x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.32581967213114754
                                                                                                                                                                                                                                                    RT_ICON0xa25d00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 16800.3686046511627907
                                                                                                                                                                                                                                                    RT_ICON0xa2c880x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.41134751773049644
                                                                                                                                                                                                                                                    RT_DIALOG0xa30f00x286dataEnglishUnited States0.5092879256965944
                                                                                                                                                                                                                                                    RT_DIALOG0xa33780x13adataEnglishUnited States0.60828025477707
                                                                                                                                                                                                                                                    RT_DIALOG0xa34b40xecdataEnglishUnited States0.6991525423728814
                                                                                                                                                                                                                                                    RT_DIALOG0xa35a00x12edataEnglishUnited States0.5927152317880795
                                                                                                                                                                                                                                                    RT_DIALOG0xa36d00x338dataEnglishUnited States0.45145631067961167
                                                                                                                                                                                                                                                    RT_DIALOG0xa3a080x252dataEnglishUnited States0.5757575757575758
                                                                                                                                                                                                                                                    RT_STRING0xa3c5c0x1e2dataEnglishUnited States0.3900414937759336
                                                                                                                                                                                                                                                    RT_STRING0xa3e400x1ccdataEnglishUnited States0.4282608695652174
                                                                                                                                                                                                                                                    RT_STRING0xa400c0x1b8dataEnglishUnited States0.45681818181818185
                                                                                                                                                                                                                                                    RT_STRING0xa41c40x146dataEnglishUnited States0.5153374233128835
                                                                                                                                                                                                                                                    RT_STRING0xa430c0x46cdataEnglishUnited States0.3454063604240283
                                                                                                                                                                                                                                                    RT_STRING0xa47780x166dataEnglishUnited States0.49162011173184356
                                                                                                                                                                                                                                                    RT_STRING0xa48e00x152dataEnglishUnited States0.5059171597633136
                                                                                                                                                                                                                                                    RT_STRING0xa4a340x10adataEnglishUnited States0.49624060150375937
                                                                                                                                                                                                                                                    RT_STRING0xa4b400xbcdataEnglishUnited States0.6329787234042553
                                                                                                                                                                                                                                                    RT_STRING0xa4bfc0x1c0dataEnglishUnited States0.5178571428571429
                                                                                                                                                                                                                                                    RT_STRING0xa4dbc0x250dataEnglishUnited States0.44256756756756754
                                                                                                                                                                                                                                                    RT_GROUP_ICON0xa500c0x102data0.6317829457364341
                                                                                                                                                                                                                                                    RT_MANIFEST0xa51100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                                                    KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                                                                                                                                                                                    OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                                                                                                    gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                                    Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                                                    Start time:15:35:57
                                                                                                                                                                                                                                                    Start date:13/04/2024
                                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe"
                                                                                                                                                                                                                                                    Imagebase:0x7ff6a42f0000
                                                                                                                                                                                                                                                    File size:3'092'254 bytes
                                                                                                                                                                                                                                                    MD5 hash:AC59ACAACF35B2521C866250D3AC9240
                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                                                    Start time:15:36:03
                                                                                                                                                                                                                                                    Start date:13/04/2024
                                                                                                                                                                                                                                                    Path:C:\Windows\Temp\officesetup.exe
                                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                                    Commandline:"C:\Windows\TEMP\officesetup.exe" /download C:\Windows\TEMP\Office.xml
                                                                                                                                                                                                                                                    Imagebase:0x20000
                                                                                                                                                                                                                                                    File size:7'420'784 bytes
                                                                                                                                                                                                                                                    MD5 hash:2D87CE389DB6F9F4F2BB7AECF64042A9
                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                                                    Start time:15:36:03
                                                                                                                                                                                                                                                    Start date:13/04/2024
                                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                                      Execution Coverage:13.1%
                                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                      Signature Coverage:27.2%
                                                                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                                                                      Total number of Limit Nodes:33
                                                                                                                                                                                                                                                      execution_graph 25758 7ff6a432c3b8 25759 7ff6a432c3cd 25758->25759 25760 7ff6a432c3d1 25758->25760 25770 7ff6a43306b0 25760->25770 25765 7ff6a432c3e3 25767 7ff6a432d88c __free_lconv_num 15 API calls 25765->25767 25767->25759 25768 7ff6a432c3f0 25787 7ff6a432d88c 25768->25787 25771 7ff6a43306bd 25770->25771 25772 7ff6a432c3d6 25770->25772 25793 7ff6a43304f0 48 API calls 4 library calls 25771->25793 25774 7ff6a4330af8 GetEnvironmentStringsW 25772->25774 25779 7ff6a4330b26 WideCharToMultiByte 25774->25779 25785 7ff6a4330bca 25774->25785 25776 7ff6a432c3db 25776->25765 25786 7ff6a432c424 31 API calls 4 library calls 25776->25786 25777 7ff6a4330bd4 FreeEnvironmentStringsW 25777->25776 25778 7ff6a4330b80 25794 7ff6a432d8cc 25778->25794 25779->25778 25779->25785 25782 7ff6a4330b90 WideCharToMultiByte 25783 7ff6a4330bb7 25782->25783 25784 7ff6a432d88c __free_lconv_num 15 API calls 25783->25784 25784->25785 25785->25776 25785->25777 25786->25768 25788 7ff6a432d891 RtlRestoreThreadPreferredUILanguages 25787->25788 25792 7ff6a432d8c1 __free_lconv_num 25787->25792 25789 7ff6a432d8ac 25788->25789 25788->25792 25811 7ff6a432d61c 15 API calls abort 25789->25811 25791 7ff6a432d8b1 GetLastError 25791->25792 25792->25765 25793->25772 25795 7ff6a432d917 25794->25795 25800 7ff6a432d8db abort 25794->25800 25804 7ff6a432d61c 15 API calls abort 25795->25804 25796 7ff6a432d8fe RtlAllocateHeap 25798 7ff6a432d915 25796->25798 25796->25800 25798->25782 25798->25783 25800->25795 25800->25796 25801 7ff6a432bb40 25800->25801 25805 7ff6a432bb80 25801->25805 25804->25798 25810 7ff6a432f318 EnterCriticalSection 25805->25810 25811->25791 25812 7ff6a43211f8 25815 7ff6a4321880 25812->25815 25841 7ff6a43214d8 25815->25841 25818 7ff6a432190b 25819 7ff6a43217e8 DloadReleaseSectionWriteAccess 6 API calls 25818->25819 25820 7ff6a4321918 RaiseException 25819->25820 25834 7ff6a4321237 25820->25834 25821 7ff6a4321934 25822 7ff6a4321a3d 25821->25822 25823 7ff6a43219bd LoadLibraryExA 25821->25823 25824 7ff6a4321b05 25821->25824 25825 7ff6a4321a29 25821->25825 25822->25824 25827 7ff6a4321a9b GetProcAddress 25822->25827 25823->25825 25826 7ff6a43219d4 GetLastError 25823->25826 25849 7ff6a43217e8 25824->25849 25825->25822 25829 7ff6a4321a34 FreeLibrary 25825->25829 25828 7ff6a43219fe 25826->25828 25833 7ff6a43219e9 25826->25833 25827->25824 25832 7ff6a4321ab0 GetLastError 25827->25832 25831 7ff6a43217e8 DloadReleaseSectionWriteAccess 6 API calls 25828->25831 25829->25822 25835 7ff6a4321a0b RaiseException 25831->25835 25836 7ff6a4321ac5 25832->25836 25833->25825 25833->25828 25835->25834 25836->25824 25837 7ff6a43217e8 DloadReleaseSectionWriteAccess 6 API calls 25836->25837 25838 7ff6a4321ae7 RaiseException 25837->25838 25839 7ff6a43214d8 _com_raise_error 6 API calls 25838->25839 25840 7ff6a4321b01 25839->25840 25840->25824 25842 7ff6a4321553 25841->25842 25843 7ff6a43214ee 25841->25843 25842->25818 25842->25821 25857 7ff6a4321584 25843->25857 25846 7ff6a432154e 25847 7ff6a4321584 DloadReleaseSectionWriteAccess 3 API calls 25846->25847 25847->25842 25850 7ff6a4321851 25849->25850 25851 7ff6a43217f8 25849->25851 25850->25834 25852 7ff6a4321584 DloadReleaseSectionWriteAccess 3 API calls 25851->25852 25853 7ff6a43217fd 25852->25853 25854 7ff6a432184c 25853->25854 25856 7ff6a4321758 DloadProtectSection 3 API calls 25853->25856 25855 7ff6a4321584 DloadReleaseSectionWriteAccess 3 API calls 25854->25855 25855->25850 25856->25854 25858 7ff6a432159f 25857->25858 25859 7ff6a43214f3 25857->25859 25858->25859 25860 7ff6a43215a4 GetModuleHandleW 25858->25860 25859->25846 25864 7ff6a4321758 25859->25864 25861 7ff6a43215b9 25860->25861 25862 7ff6a43215be GetProcAddress 25860->25862 25861->25859 25862->25861 25863 7ff6a43215d3 GetProcAddress 25862->25863 25863->25861 25865 7ff6a432177a DloadProtectSection 25864->25865 25866 7ff6a43217ba VirtualProtect 25865->25866 25867 7ff6a4321782 25865->25867 25869 7ff6a4321624 VirtualQuery GetSystemInfo 25865->25869 25866->25867 25867->25846 25869->25866 25870 7ff6a4316b00 IsWindow 25871 7ff6a4316b1e 25870->25871 25872 7ff6a4320360 25873 7ff6a4320417 25872->25873 25874 7ff6a432039f 25872->25874 25875 7ff6a430aaa0 48 API calls 25873->25875 25905 7ff6a430aaa0 25874->25905 25877 7ff6a432042b 25875->25877 25879 7ff6a430da14 48 API calls 25877->25879 25884 7ff6a43203c2 memcpy_s 25879->25884 25882 7ff6a43204c1 25902 7ff6a42f250c 25882->25902 25883 7ff6a4320546 25915 7ff6a4327884 25883->25915 25884->25883 25886 7ff6a432054c 25884->25886 25897 7ff6a42f1fa0 25884->25897 25888 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 25886->25888 25890 7ff6a4320552 25888->25890 25898 7ff6a42f1fb3 25897->25898 25899 7ff6a42f1fdc 25897->25899 25898->25899 25900 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 25898->25900 25899->25882 25901 7ff6a42f2000 25900->25901 25903 7ff6a42f2513 25902->25903 25904 7ff6a42f2516 SetDlgItemTextW 25902->25904 25903->25904 25906 7ff6a430aab3 25905->25906 25920 7ff6a4309734 25906->25920 25909 7ff6a430ab46 25912 7ff6a430da14 25909->25912 25910 7ff6a430ab18 LoadStringW 25910->25909 25911 7ff6a430ab31 LoadStringW 25910->25911 25911->25909 25957 7ff6a430d7f0 25912->25957 26034 7ff6a43277bc 31 API calls 2 library calls 25915->26034 25917 7ff6a432789d 26035 7ff6a43278b4 16 API calls abort 25917->26035 25927 7ff6a43095f8 25920->25927 25924 7ff6a4309799 25937 7ff6a43222a0 25924->25937 25928 7ff6a4309652 25927->25928 25936 7ff6a43096f0 25927->25936 25929 7ff6a4309680 25928->25929 25950 7ff6a4310ee8 WideCharToMultiByte 25928->25950 25933 7ff6a43096af 25929->25933 25952 7ff6a430aa48 45 API calls _snwprintf 25929->25952 25931 7ff6a43222a0 _handle_error 8 API calls 25932 7ff6a4309724 25931->25932 25932->25924 25946 7ff6a43097c0 25932->25946 25953 7ff6a432a1f0 31 API calls 2 library calls 25933->25953 25936->25931 25938 7ff6a43222a9 25937->25938 25939 7ff6a43097b2 25938->25939 25940 7ff6a43224d0 IsProcessorFeaturePresent 25938->25940 25939->25909 25939->25910 25941 7ff6a43224e8 25940->25941 25954 7ff6a43226c4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25941->25954 25943 7ff6a43224fb 25955 7ff6a4322490 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25943->25955 25947 7ff6a4309800 25946->25947 25949 7ff6a4309829 25946->25949 25956 7ff6a432a1f0 31 API calls 2 library calls 25947->25956 25949->25924 25951 7ff6a4310f2a 25950->25951 25951->25929 25952->25933 25953->25936 25954->25943 25956->25949 25973 7ff6a430d44c 25957->25973 25961 7ff6a430d861 _snwprintf 25969 7ff6a430d8f0 25961->25969 25987 7ff6a4329e70 25961->25987 26014 7ff6a42f9d78 33 API calls 25961->26014 25963 7ff6a430d91f 25965 7ff6a430d993 25963->25965 25968 7ff6a430d9bb 25963->25968 25966 7ff6a43222a0 _handle_error 8 API calls 25965->25966 25967 7ff6a430d9a7 25966->25967 25967->25884 25970 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 25968->25970 25969->25963 26015 7ff6a42f9d78 33 API calls 25969->26015 25971 7ff6a430d9c0 25970->25971 25974 7ff6a430d5e1 25973->25974 25976 7ff6a430d47e 25973->25976 25977 7ff6a430cb3c 25974->25977 25975 7ff6a42f1744 33 API calls 25975->25976 25976->25974 25976->25975 25978 7ff6a430cb72 25977->25978 25984 7ff6a430cc3c 25977->25984 25981 7ff6a430cc37 25978->25981 25982 7ff6a430cbdc 25978->25982 25986 7ff6a430cb82 25978->25986 26025 7ff6a42f1f80 33 API calls 3 library calls 25981->26025 25982->25986 26016 7ff6a4322150 25982->26016 26026 7ff6a42f2004 33 API calls std::_Xinvalid_argument 25984->26026 25986->25961 25988 7ff6a4329eb6 25987->25988 25989 7ff6a4329ece 25987->25989 26029 7ff6a432d61c 15 API calls abort 25988->26029 25989->25988 25991 7ff6a4329ed8 25989->25991 26031 7ff6a4327e70 35 API calls 2 library calls 25991->26031 25992 7ff6a4329ebb 26030 7ff6a4327864 31 API calls _invalid_parameter_noinfo_noreturn 25992->26030 25995 7ff6a43222a0 _handle_error 8 API calls 25997 7ff6a432a08b 25995->25997 25996 7ff6a4329ee9 memcpy_s 26032 7ff6a4327df0 15 API calls _set_errno_from_matherr 25996->26032 25997->25961 25999 7ff6a4329f54 26033 7ff6a4328278 46 API calls 3 library calls 25999->26033 26001 7ff6a4329f5d 26002 7ff6a4329f65 26001->26002 26004 7ff6a4329f94 26001->26004 26003 7ff6a432d88c __free_lconv_num 15 API calls 26002->26003 26013 7ff6a4329ec6 26003->26013 26005 7ff6a4329fec 26004->26005 26006 7ff6a432a012 26004->26006 26007 7ff6a4329fa3 26004->26007 26008 7ff6a4329f9a 26004->26008 26009 7ff6a432d88c __free_lconv_num 15 API calls 26005->26009 26006->26005 26010 7ff6a432a01c 26006->26010 26011 7ff6a432d88c __free_lconv_num 15 API calls 26007->26011 26008->26005 26008->26007 26009->26013 26012 7ff6a432d88c __free_lconv_num 15 API calls 26010->26012 26011->26013 26012->26013 26013->25995 26014->25961 26015->25963 26019 7ff6a432215b 26016->26019 26017 7ff6a4322174 26017->25986 26018 7ff6a432bb40 abort 2 API calls 26018->26019 26019->26017 26019->26018 26020 7ff6a432217a 26019->26020 26021 7ff6a4322185 26020->26021 26027 7ff6a4322efc RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26020->26027 26028 7ff6a42f1f80 33 API calls 3 library calls 26021->26028 26024 7ff6a432218b 26025->25984 26027->26021 26028->26024 26029->25992 26030->26013 26031->25996 26032->25999 26033->26001 26034->25917 26036 7ff6a4322cec 26063 7ff6a432277c 26036->26063 26039 7ff6a4322e38 26158 7ff6a43230f0 7 API calls 2 library calls 26039->26158 26040 7ff6a4322d08 __scrt_acquire_startup_lock 26042 7ff6a4322e42 26040->26042 26043 7ff6a4322d26 26040->26043 26159 7ff6a43230f0 7 API calls 2 library calls 26042->26159 26053 7ff6a4322d68 __scrt_release_startup_lock 26043->26053 26069 7ff6a432cd88 26043->26069 26047 7ff6a4322d4b 26049 7ff6a4322e4d abort 26050 7ff6a4322dd1 26077 7ff6a432323c 26050->26077 26052 7ff6a4322dd6 26080 7ff6a432cca0 26052->26080 26053->26050 26155 7ff6a432bfd0 35 API calls __GSHandlerCheck_EH 26053->26155 26160 7ff6a4322f30 26063->26160 26066 7ff6a43227a7 26066->26039 26066->26040 26067 7ff6a43227ab __scrt_initialize_crt 26067->26066 26162 7ff6a4325120 7 API calls 2 library calls 26067->26162 26071 7ff6a432cda0 26069->26071 26070 7ff6a4322d47 26070->26047 26073 7ff6a432cd10 26070->26073 26071->26070 26163 7ff6a4322c00 26071->26163 26074 7ff6a432cd4c 26073->26074 26075 7ff6a432cd6b 26073->26075 26074->26075 26238 7ff6a42f1120 26074->26238 26075->26053 26280 7ff6a4323c70 26077->26280 26079 7ff6a4323253 GetStartupInfoW 26079->26052 26081 7ff6a43306b0 48 API calls 26080->26081 26082 7ff6a432ccaf 26081->26082 26083 7ff6a4322dde 26082->26083 26282 7ff6a4330a40 35 API calls _snwprintf 26082->26282 26085 7ff6a43206d4 26083->26085 26283 7ff6a430df4c 26085->26283 26089 7ff6a432071a 26370 7ff6a43193ec 26089->26370 26091 7ff6a4320724 memcpy_s 26375 7ff6a4319994 26091->26375 26093 7ff6a4320d5c 26094 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26093->26094 26096 7ff6a4320d62 26094->26096 26095 7ff6a43208ee GetCommandLineW 26097 7ff6a4320ac2 26095->26097 26098 7ff6a4320900 26095->26098 26101 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26096->26101 26385 7ff6a4306414 26097->26385 26425 7ff6a42f129c 26098->26425 26100 7ff6a4320799 26100->26093 26100->26095 26113 7ff6a4320d68 26101->26113 26102 7ff6a4320ad1 26105 7ff6a42f1fa0 31 API calls 26102->26105 26108 7ff6a4320ae8 memcpy_s 26102->26108 26104 7ff6a4320925 26435 7ff6a431ca50 103 API calls 3 library calls 26104->26435 26105->26108 26106 7ff6a42f1fa0 31 API calls 26110 7ff6a4320b13 SetEnvironmentVariableW GetLocalTime 26106->26110 26108->26106 26109 7ff6a4321880 _com_raise_error 14 API calls 26109->26113 26397 7ff6a4303de8 26110->26397 26112 7ff6a432092f 26112->26096 26116 7ff6a4320979 OpenFileMappingW 26112->26116 26117 7ff6a4320a5b 26112->26117 26113->26109 26119 7ff6a4320999 MapViewOfFile 26116->26119 26120 7ff6a4320a50 CloseHandle 26116->26120 26124 7ff6a42f129c 33 API calls 26117->26124 26118 7ff6a4320bdf 26417 7ff6a430986c 26118->26417 26119->26120 26122 7ff6a43209bf UnmapViewOfFile MapViewOfFile 26119->26122 26120->26097 26122->26120 26125 7ff6a43209f1 26122->26125 26123 7ff6a4320bf5 26422 7ff6a4316734 26123->26422 26127 7ff6a4320a80 26124->26127 26436 7ff6a431a110 33 API calls 2 library calls 26125->26436 26440 7ff6a431fc8c 35 API calls 2 library calls 26127->26440 26129 7ff6a4320a01 26437 7ff6a431fc8c 35 API calls 2 library calls 26129->26437 26132 7ff6a4320a8a 26132->26097 26138 7ff6a4320d57 26132->26138 26134 7ff6a4316734 33 API calls 26136 7ff6a4320c07 DialogBoxParamW 26134->26136 26135 7ff6a4320a10 26438 7ff6a430b970 103 API calls 26135->26438 26143 7ff6a4320c53 26136->26143 26141 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26138->26141 26139 7ff6a4320a25 26439 7ff6a430babc 103 API calls 26139->26439 26141->26093 26142 7ff6a4320a38 26146 7ff6a4320a47 UnmapViewOfFile 26142->26146 26144 7ff6a4320c66 Sleep 26143->26144 26145 7ff6a4320c6c 26143->26145 26144->26145 26148 7ff6a4320c7a 26145->26148 26441 7ff6a4319ecc 49 API calls 2 library calls 26145->26441 26146->26120 26149 7ff6a4320cdb 26148->26149 26152 7ff6a4320ced 26148->26152 26442 7ff6a431fda4 26149->26442 26153 7ff6a43222a0 _handle_error 8 API calls 26152->26153 26154 7ff6a4320d3a 26153->26154 26156 7ff6a4323280 GetModuleHandleW 26154->26156 26155->26050 26158->26042 26159->26049 26161 7ff6a432279e __scrt_dllmain_crt_thread_attach 26160->26161 26161->26066 26161->26067 26162->26066 26164 7ff6a4322c10 26163->26164 26180 7ff6a432cdd4 26164->26180 26166 7ff6a4322c1c 26186 7ff6a43227c8 26166->26186 26169 7ff6a4322cb5 26169->26071 26170 7ff6a4322c34 _RTC_Initialize 26178 7ff6a4322c89 26170->26178 26191 7ff6a4322978 26170->26191 26172 7ff6a4322c49 26194 7ff6a432c240 26172->26194 26179 7ff6a4322ca5 26178->26179 26223 7ff6a43230f0 7 API calls 2 library calls 26178->26223 26179->26071 26181 7ff6a432cde5 26180->26181 26185 7ff6a432cded 26181->26185 26224 7ff6a432d61c 15 API calls abort 26181->26224 26183 7ff6a432cdfc 26225 7ff6a4327864 31 API calls _invalid_parameter_noinfo_noreturn 26183->26225 26185->26166 26187 7ff6a43227d9 26186->26187 26190 7ff6a43227de __scrt_acquire_startup_lock 26186->26190 26187->26190 26226 7ff6a43230f0 7 API calls 2 library calls 26187->26226 26189 7ff6a4322852 26190->26170 26227 7ff6a432293c 26191->26227 26193 7ff6a4322981 26193->26172 26195 7ff6a432c25e 26194->26195 26196 7ff6a432c274 26194->26196 26232 7ff6a432d61c 15 API calls abort 26195->26232 26198 7ff6a43306b0 48 API calls 26196->26198 26200 7ff6a432c279 GetModuleFileNameA 26198->26200 26199 7ff6a432c263 26233 7ff6a4327864 31 API calls _invalid_parameter_noinfo_noreturn 26199->26233 26202 7ff6a432c2a6 26200->26202 26234 7ff6a432c020 35 API calls 26202->26234 26203 7ff6a4322c55 26203->26178 26222 7ff6a4323400 InitializeSListHead 26203->26222 26205 7ff6a432c2d0 26235 7ff6a432c1dc 15 API calls 2 library calls 26205->26235 26207 7ff6a432c2e6 26208 7ff6a432c2ee 26207->26208 26209 7ff6a432c2ff 26207->26209 26236 7ff6a432d61c 15 API calls abort 26208->26236 26237 7ff6a432c020 35 API calls 26209->26237 26212 7ff6a432d88c __free_lconv_num 15 API calls 26212->26203 26213 7ff6a432c31b 26214 7ff6a432c34b 26213->26214 26215 7ff6a432c364 26213->26215 26219 7ff6a432c2f3 26213->26219 26216 7ff6a432d88c __free_lconv_num 15 API calls 26214->26216 26217 7ff6a432d88c __free_lconv_num 15 API calls 26215->26217 26218 7ff6a432c354 26216->26218 26217->26219 26220 7ff6a432d88c __free_lconv_num 15 API calls 26218->26220 26219->26212 26221 7ff6a432c360 26220->26221 26221->26203 26223->26169 26224->26183 26225->26185 26226->26189 26228 7ff6a4322956 26227->26228 26230 7ff6a432294f 26227->26230 26231 7ff6a432ca20 34 API calls 26228->26231 26230->26193 26231->26230 26232->26199 26233->26203 26234->26205 26235->26207 26236->26219 26237->26213 26243 7ff6a42f91c8 26238->26243 26241 7ff6a432293c 34 API calls 26242 7ff6a4322981 26241->26242 26242->26074 26250 7ff6a4305664 26243->26250 26245 7ff6a42f91df 26253 7ff6a430b744 26245->26253 26249 7ff6a42f1130 26249->26241 26259 7ff6a43056a8 26250->26259 26268 7ff6a42f13a4 26253->26268 26256 7ff6a42f9a28 26257 7ff6a43056a8 2 API calls 26256->26257 26258 7ff6a42f9a36 26257->26258 26258->26249 26260 7ff6a43056be memcpy_s 26259->26260 26263 7ff6a430eb20 26260->26263 26266 7ff6a430ead4 GetCurrentProcess GetProcessAffinityMask 26263->26266 26265 7ff6a430569e 26265->26245 26267 7ff6a430eafa 26266->26267 26267->26265 26267->26267 26269 7ff6a42f13ad 26268->26269 26277 7ff6a42f142d 26268->26277 26270 7ff6a42f143d 26269->26270 26272 7ff6a42f13ce 26269->26272 26279 7ff6a42f2018 33 API calls std::_Xinvalid_argument 26270->26279 26274 7ff6a4322150 33 API calls 26272->26274 26275 7ff6a42f13db memcpy_s 26272->26275 26274->26275 26278 7ff6a42f197c 31 API calls _invalid_parameter_noinfo_noreturn 26275->26278 26277->26256 26278->26277 26281 7ff6a4323c50 26280->26281 26281->26079 26281->26281 26282->26082 26448 7ff6a43223d0 26283->26448 26286 7ff6a430dff7 26290 7ff6a430e47f 26286->26290 26481 7ff6a432b708 39 API calls 2 library calls 26286->26481 26287 7ff6a430dfa2 GetProcAddress 26288 7ff6a430dfb7 26287->26288 26289 7ff6a430dfcf GetProcAddress 26287->26289 26288->26289 26289->26286 26292 7ff6a430dfe4 26289->26292 26291 7ff6a4306414 34 API calls 26290->26291 26294 7ff6a430e488 26291->26294 26292->26286 26450 7ff6a4307db4 26294->26450 26295 7ff6a430e32c 26295->26290 26297 7ff6a430e336 26295->26297 26298 7ff6a4306414 34 API calls 26297->26298 26299 7ff6a430e33f CreateFileW 26298->26299 26301 7ff6a430e46c CloseHandle 26299->26301 26302 7ff6a430e37f SetFilePointer 26299->26302 26303 7ff6a42f1fa0 31 API calls 26301->26303 26302->26301 26304 7ff6a430e398 ReadFile 26302->26304 26303->26290 26304->26301 26305 7ff6a430e3c0 26304->26305 26306 7ff6a430e77c 26305->26306 26307 7ff6a430e3d4 26305->26307 26487 7ff6a43225a4 8 API calls 26306->26487 26312 7ff6a42f129c 33 API calls 26307->26312 26309 7ff6a42f129c 33 API calls 26325 7ff6a430e496 26309->26325 26310 7ff6a430e781 26311 7ff6a430e4ba CompareStringW 26311->26325 26317 7ff6a430e40b 26312->26317 26314 7ff6a42f1fa0 31 API calls 26314->26325 26316 7ff6a430e5b6 26318 7ff6a430e73e 26316->26318 26319 7ff6a430e5c4 26316->26319 26322 7ff6a430e457 26317->26322 26482 7ff6a430d05c 33 API calls 26317->26482 26320 7ff6a42f1fa0 31 API calls 26318->26320 26483 7ff6a4307e70 47 API calls 26319->26483 26324 7ff6a430e747 26320->26324 26326 7ff6a42f1fa0 31 API calls 26322->26326 26330 7ff6a42f1fa0 31 API calls 26324->26330 26325->26309 26325->26311 26325->26314 26345 7ff6a430e548 26325->26345 26458 7ff6a4305164 26325->26458 26463 7ff6a4308050 26325->26463 26467 7ff6a430327c 26325->26467 26331 7ff6a430e461 26326->26331 26327 7ff6a430e5cd 26328 7ff6a4305164 9 API calls 26327->26328 26332 7ff6a430e5d2 26328->26332 26329 7ff6a42f129c 33 API calls 26329->26345 26333 7ff6a430e751 26330->26333 26334 7ff6a42f1fa0 31 API calls 26331->26334 26335 7ff6a430e682 26332->26335 26342 7ff6a430e5dd 26332->26342 26337 7ff6a43222a0 _handle_error 8 API calls 26333->26337 26334->26301 26338 7ff6a430da14 48 API calls 26335->26338 26336 7ff6a4308050 47 API calls 26336->26345 26339 7ff6a430e760 26337->26339 26340 7ff6a430e6c7 AllocConsole 26338->26340 26360 7ff6a430629c GetCurrentDirectoryW 26339->26360 26343 7ff6a430e677 26340->26343 26344 7ff6a430e6d1 GetCurrentProcessId AttachConsole 26340->26344 26341 7ff6a42f1fa0 31 API calls 26341->26345 26348 7ff6a430aaa0 48 API calls 26342->26348 26486 7ff6a42f19e0 31 API calls _invalid_parameter_noinfo_noreturn 26343->26486 26346 7ff6a430e6e8 26344->26346 26345->26316 26345->26329 26345->26336 26345->26341 26347 7ff6a430327c 51 API calls 26345->26347 26353 7ff6a430e6f4 GetStdHandle WriteConsoleW Sleep FreeConsole 26346->26353 26347->26345 26350 7ff6a430e621 26348->26350 26352 7ff6a430da14 48 API calls 26350->26352 26351 7ff6a430e735 ExitProcess 26354 7ff6a430e63f 26352->26354 26353->26343 26355 7ff6a430aaa0 48 API calls 26354->26355 26356 7ff6a430e64a 26355->26356 26484 7ff6a430dba8 33 API calls 26356->26484 26358 7ff6a430e656 26485 7ff6a42f19e0 31 API calls _invalid_parameter_noinfo_noreturn 26358->26485 26361 7ff6a43062c0 26360->26361 26366 7ff6a430634d 26360->26366 26362 7ff6a42f13a4 33 API calls 26361->26362 26363 7ff6a43062db GetCurrentDirectoryW 26362->26363 26364 7ff6a4306301 26363->26364 26603 7ff6a42f20b0 26364->26603 26366->26089 26367 7ff6a430630f 26367->26366 26368 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26367->26368 26369 7ff6a4306369 26368->26369 26371 7ff6a430dd04 26370->26371 26372 7ff6a4319401 OleInitialize 26371->26372 26373 7ff6a4319427 26372->26373 26374 7ff6a431944d SHGetMalloc 26373->26374 26374->26091 26376 7ff6a43199c9 26375->26376 26378 7ff6a43199ce memcpy_s 26375->26378 26377 7ff6a42f1fa0 31 API calls 26376->26377 26377->26378 26379 7ff6a42f1fa0 31 API calls 26378->26379 26381 7ff6a43199fd memcpy_s 26378->26381 26379->26381 26380 7ff6a42f1fa0 31 API calls 26382 7ff6a4319a2c memcpy_s 26380->26382 26381->26380 26381->26382 26383 7ff6a42f1fa0 31 API calls 26382->26383 26384 7ff6a4319a5b memcpy_s 26382->26384 26383->26384 26384->26100 26386 7ff6a42f13a4 33 API calls 26385->26386 26387 7ff6a4306449 26386->26387 26388 7ff6a430644c GetModuleFileNameW 26387->26388 26391 7ff6a430649c 26387->26391 26389 7ff6a430649e 26388->26389 26390 7ff6a4306467 26388->26390 26389->26391 26390->26387 26392 7ff6a42f129c 33 API calls 26391->26392 26394 7ff6a43064c6 26392->26394 26393 7ff6a43064fe 26393->26102 26394->26393 26395 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26394->26395 26396 7ff6a4306520 26395->26396 26398 7ff6a4303e0d _snwprintf 26397->26398 26399 7ff6a4329e70 swprintf 46 API calls 26398->26399 26400 7ff6a4303e29 SetEnvironmentVariableW GetModuleHandleW LoadIconW 26399->26400 26401 7ff6a431af94 LoadBitmapW 26400->26401 26402 7ff6a431afc6 26401->26402 26403 7ff6a431afbe 26401->26403 26404 7ff6a431afce GetObjectW 26402->26404 26406 7ff6a431afe3 26402->26406 26608 7ff6a43185a4 FindResourceW 26403->26608 26404->26406 26622 7ff6a431841c 26406->26622 26409 7ff6a431b00a 26627 7ff6a4318484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26409->26627 26410 7ff6a43185a4 10 API calls 26410->26409 26412 7ff6a431b027 26628 7ff6a431844c 26412->26628 26416 7ff6a431b03f 26416->26118 26635 7ff6a430989c 26417->26635 26419 7ff6a430987a 26702 7ff6a430a3fc GetModuleHandleW FindResourceW 26419->26702 26421 7ff6a4309882 26421->26123 26423 7ff6a4322150 33 API calls 26422->26423 26424 7ff6a431677a 26423->26424 26424->26134 26426 7ff6a42f12d0 26425->26426 26432 7ff6a42f139b 26425->26432 26429 7ff6a42f1338 26426->26429 26430 7ff6a42f1396 26426->26430 26434 7ff6a42f12de memcpy_s 26426->26434 26433 7ff6a4322150 33 API calls 26429->26433 26429->26434 26784 7ff6a42f1f80 33 API calls 3 library calls 26430->26784 26785 7ff6a42f2004 33 API calls std::_Xinvalid_argument 26432->26785 26433->26434 26434->26104 26435->26112 26436->26129 26437->26135 26438->26139 26439->26142 26440->26132 26441->26148 26443 7ff6a431fdf7 WaitForSingleObject 26442->26443 26444 7ff6a431fe09 CloseHandle 26443->26444 26445 7ff6a431fdaf PeekMessageW 26443->26445 26444->26152 26449 7ff6a430df70 GetModuleHandleW 26448->26449 26449->26286 26449->26287 26451 7ff6a4307dcc 26450->26451 26452 7ff6a4307e15 26451->26452 26453 7ff6a4307de3 26451->26453 26488 7ff6a42f704c 47 API calls memcpy_s 26452->26488 26455 7ff6a42f129c 33 API calls 26453->26455 26457 7ff6a4307e07 26455->26457 26456 7ff6a4307e1a 26457->26325 26459 7ff6a4305188 GetVersionExW 26458->26459 26460 7ff6a43051bb 26458->26460 26459->26460 26461 7ff6a43222a0 _handle_error 8 API calls 26460->26461 26462 7ff6a43051e8 26461->26462 26462->26325 26464 7ff6a4308065 26463->26464 26489 7ff6a4308148 26464->26489 26466 7ff6a430808a 26466->26325 26468 7ff6a43032a4 26467->26468 26469 7ff6a43032a7 GetFileAttributesW 26467->26469 26468->26469 26470 7ff6a4303335 26469->26470 26471 7ff6a43032b8 26469->26471 26473 7ff6a43222a0 _handle_error 8 API calls 26470->26473 26498 7ff6a43069cc 26471->26498 26475 7ff6a4303349 26473->26475 26475->26325 26476 7ff6a43032e3 GetFileAttributesW 26477 7ff6a43032fc 26476->26477 26477->26470 26478 7ff6a4303359 26477->26478 26479 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26478->26479 26480 7ff6a430335e 26479->26480 26481->26295 26482->26317 26483->26327 26484->26358 26485->26343 26486->26351 26487->26310 26488->26456 26490 7ff6a43082e6 26489->26490 26494 7ff6a430817a 26489->26494 26497 7ff6a42f704c 47 API calls memcpy_s 26490->26497 26492 7ff6a43082eb 26493 7ff6a4308194 memcpy_s 26493->26466 26494->26493 26496 7ff6a4305864 33 API calls 2 library calls 26494->26496 26496->26493 26497->26492 26499 7ff6a4306a04 26498->26499 26500 7ff6a4306a0b 26498->26500 26501 7ff6a43222a0 _handle_error 8 API calls 26499->26501 26503 7ff6a42f129c 33 API calls 26500->26503 26502 7ff6a43032df 26501->26502 26502->26476 26502->26477 26504 7ff6a4306a36 26503->26504 26505 7ff6a4306c87 26504->26505 26506 7ff6a4306a56 26504->26506 26507 7ff6a430629c 35 API calls 26505->26507 26508 7ff6a4306a70 26506->26508 26509 7ff6a4306b09 26506->26509 26511 7ff6a4306ca6 26507->26511 26534 7ff6a430706b 26508->26534 26571 7ff6a42fc0a8 33 API calls 2 library calls 26508->26571 26535 7ff6a42f129c 33 API calls 26509->26535 26570 7ff6a4306b04 26509->26570 26513 7ff6a4306eaf 26511->26513 26514 7ff6a4306cdb 26511->26514 26511->26570 26554 7ff6a430708f 26513->26554 26592 7ff6a42fc0a8 33 API calls 2 library calls 26513->26592 26515 7ff6a430707d 26514->26515 26574 7ff6a42fc0a8 33 API calls 2 library calls 26514->26574 26596 7ff6a42f2004 33 API calls std::_Xinvalid_argument 26515->26596 26516 7ff6a4307095 26523 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26516->26523 26517 7ff6a4307071 26522 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26517->26522 26519 7ff6a4306ac3 26532 7ff6a42f1fa0 31 API calls 26519->26532 26536 7ff6a4306ad5 memcpy_s 26519->26536 26530 7ff6a4307077 26522->26530 26531 7ff6a430709b 26523->26531 26524 7ff6a4307066 26529 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26524->26529 26525 7ff6a4306f16 26593 7ff6a42f11cc 33 API calls memcpy_s 26525->26593 26527 7ff6a4307083 26539 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26527->26539 26528 7ff6a42f1fa0 31 API calls 26528->26570 26529->26534 26540 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26530->26540 26542 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26531->26542 26532->26536 26595 7ff6a42f2004 33 API calls std::_Xinvalid_argument 26534->26595 26543 7ff6a4306b7e 26535->26543 26536->26528 26537 7ff6a4306f29 26594 7ff6a430576c 33 API calls memcpy_s 26537->26594 26545 7ff6a4307089 26539->26545 26540->26515 26541 7ff6a42f1fa0 31 API calls 26552 7ff6a4306db5 26541->26552 26547 7ff6a43070a1 26542->26547 26572 7ff6a43057e0 33 API calls 26543->26572 26597 7ff6a42f704c 47 API calls memcpy_s 26545->26597 26546 7ff6a4306d36 memcpy_s 26546->26527 26546->26541 26548 7ff6a4306b93 26573 7ff6a42fe174 33 API calls 2 library calls 26548->26573 26551 7ff6a42f1fa0 31 API calls 26555 7ff6a4306fac 26551->26555 26556 7ff6a4306de1 26552->26556 26575 7ff6a42f1744 26552->26575 26553 7ff6a4306f39 memcpy_s 26553->26531 26553->26551 26598 7ff6a42f2004 33 API calls std::_Xinvalid_argument 26554->26598 26557 7ff6a42f1fa0 31 API calls 26555->26557 26556->26545 26562 7ff6a42f129c 33 API calls 26556->26562 26560 7ff6a4306fb6 26557->26560 26559 7ff6a42f1fa0 31 API calls 26564 7ff6a4306c2d 26559->26564 26561 7ff6a42f1fa0 31 API calls 26560->26561 26561->26570 26566 7ff6a4306e82 26562->26566 26563 7ff6a4306ba9 memcpy_s 26563->26530 26563->26559 26565 7ff6a42f1fa0 31 API calls 26564->26565 26565->26570 26588 7ff6a42f2034 26566->26588 26568 7ff6a4306e9f 26569 7ff6a42f1fa0 31 API calls 26568->26569 26569->26570 26570->26499 26570->26516 26570->26517 26570->26524 26571->26519 26572->26548 26573->26563 26574->26546 26576 7ff6a42f18a1 26575->26576 26579 7ff6a42f1784 26575->26579 26599 7ff6a42f2004 33 API calls std::_Xinvalid_argument 26576->26599 26578 7ff6a42f18a7 26600 7ff6a42f1f80 33 API calls 3 library calls 26578->26600 26579->26578 26582 7ff6a4322150 33 API calls 26579->26582 26586 7ff6a42f17ac memcpy_s 26579->26586 26581 7ff6a42f18ad 26601 7ff6a43234cc 31 API calls __std_exception_copy 26581->26601 26582->26586 26584 7ff6a42f18d9 26584->26556 26585 7ff6a42f1859 memcpy_s 26585->26556 26586->26585 26587 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26586->26587 26587->26576 26589 7ff6a42f2085 26588->26589 26591 7ff6a42f2059 memcpy_s 26588->26591 26602 7ff6a42f15b8 33 API calls 3 library calls 26589->26602 26591->26568 26592->26525 26593->26537 26594->26553 26597->26554 26600->26581 26601->26584 26602->26591 26604 7ff6a42f20f6 26603->26604 26606 7ff6a42f20cb memcpy_s 26603->26606 26607 7ff6a42f1474 33 API calls 3 library calls 26604->26607 26606->26367 26607->26606 26609 7ff6a43185cf SizeofResource 26608->26609 26614 7ff6a431871b 26608->26614 26610 7ff6a43185e9 LoadResource 26609->26610 26609->26614 26611 7ff6a4318602 LockResource 26610->26611 26610->26614 26612 7ff6a4318617 GlobalAlloc 26611->26612 26611->26614 26613 7ff6a4318638 GlobalLock 26612->26613 26612->26614 26615 7ff6a4318712 GlobalFree 26613->26615 26616 7ff6a431864a memcpy_s 26613->26616 26614->26402 26615->26614 26617 7ff6a4318676 GdipAlloc 26616->26617 26618 7ff6a4318709 GlobalUnlock 26616->26618 26619 7ff6a431868b 26617->26619 26618->26615 26619->26618 26620 7ff6a43186da GdipCreateHBITMAPFromBitmap 26619->26620 26621 7ff6a43186f2 26619->26621 26620->26621 26621->26618 26623 7ff6a431844c 4 API calls 26622->26623 26624 7ff6a431842a 26623->26624 26626 7ff6a4318439 26624->26626 26633 7ff6a4318484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26624->26633 26626->26409 26626->26410 26626->26416 26627->26412 26629 7ff6a4318463 26628->26629 26630 7ff6a431845e 26628->26630 26632 7ff6a4318d74 15 API calls _handle_error 26629->26632 26634 7ff6a4318510 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26630->26634 26632->26416 26633->26626 26634->26629 26638 7ff6a43098be _snwprintf 26635->26638 26636 7ff6a4309933 26753 7ff6a4306870 48 API calls 26636->26753 26638->26636 26640 7ff6a4309a49 26638->26640 26639 7ff6a42f1fa0 31 API calls 26642 7ff6a43099bd 26639->26642 26640->26642 26644 7ff6a42f20b0 33 API calls 26640->26644 26641 7ff6a430993d memcpy_s 26641->26639 26643 7ff6a430a3ee 26641->26643 26704 7ff6a4302480 26642->26704 26645 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26643->26645 26644->26642 26647 7ff6a430a3f4 26645->26647 26650 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26647->26650 26649 7ff6a43099e2 26652 7ff6a4302004 101 API calls 26649->26652 26653 7ff6a430a3fa 26650->26653 26651 7ff6a4309ad7 26722 7ff6a432a3d0 26651->26722 26654 7ff6a43099eb 26652->26654 26654->26647 26657 7ff6a4309a26 26654->26657 26656 7ff6a4309a6d 26656->26651 26662 7ff6a4308e18 33 API calls 26656->26662 26660 7ff6a43222a0 _handle_error 8 API calls 26657->26660 26659 7ff6a432a3d0 31 API calls 26673 7ff6a4309b17 __vcrt_InitializeCriticalSectionEx 26659->26673 26661 7ff6a430a3ce 26660->26661 26661->26419 26662->26656 26663 7ff6a4309c49 26664 7ff6a4302a60 102 API calls 26663->26664 26676 7ff6a4309d1c 26663->26676 26667 7ff6a4309c61 26664->26667 26668 7ff6a4302890 105 API calls 26667->26668 26667->26676 26674 7ff6a4309c89 26668->26674 26673->26663 26673->26676 26730 7ff6a4302b70 26673->26730 26739 7ff6a4302890 26673->26739 26744 7ff6a4302a60 26673->26744 26674->26676 26696 7ff6a4309c97 __vcrt_InitializeCriticalSectionEx 26674->26696 26754 7ff6a4310b3c MultiByteToWideChar 26674->26754 26749 7ff6a4302004 26676->26749 26677 7ff6a430a1ac 26687 7ff6a430a282 26677->26687 26760 7ff6a432cf10 31 API calls 2 library calls 26677->26760 26679 7ff6a430a117 26679->26677 26757 7ff6a432cf10 31 API calls 2 library calls 26679->26757 26682 7ff6a430a10b 26682->26419 26683 7ff6a430a26e 26683->26687 26762 7ff6a4308c90 33 API calls 2 library calls 26683->26762 26684 7ff6a430a362 26686 7ff6a432a3d0 31 API calls 26684->26686 26685 7ff6a430a209 26761 7ff6a432b73c 31 API calls _invalid_parameter_noinfo_noreturn 26685->26761 26689 7ff6a430a38b 26686->26689 26687->26684 26693 7ff6a4308e18 33 API calls 26687->26693 26691 7ff6a432a3d0 31 API calls 26689->26691 26690 7ff6a430a12d 26758 7ff6a432b73c 31 API calls _invalid_parameter_noinfo_noreturn 26690->26758 26691->26676 26693->26687 26694 7ff6a430a198 26694->26677 26759 7ff6a4308c90 33 API calls 2 library calls 26694->26759 26696->26676 26696->26677 26696->26679 26696->26682 26697 7ff6a430a3e9 26696->26697 26699 7ff6a4310ee8 WideCharToMultiByte 26696->26699 26755 7ff6a430aa48 45 API calls _snwprintf 26696->26755 26756 7ff6a432a1f0 31 API calls 2 library calls 26696->26756 26763 7ff6a43225a4 8 API calls 26697->26763 26699->26696 26703 7ff6a430a428 26702->26703 26703->26421 26705 7ff6a43024bd CreateFileW 26704->26705 26707 7ff6a430256e GetLastError 26705->26707 26716 7ff6a430262e 26705->26716 26708 7ff6a43069cc 49 API calls 26707->26708 26709 7ff6a430259c 26708->26709 26710 7ff6a43025a0 CreateFileW GetLastError 26709->26710 26715 7ff6a43025ec 26709->26715 26710->26715 26711 7ff6a4302671 SetFileTime 26714 7ff6a430268f 26711->26714 26712 7ff6a43026c8 26713 7ff6a43222a0 _handle_error 8 API calls 26712->26713 26717 7ff6a43026db 26713->26717 26714->26712 26718 7ff6a42f20b0 33 API calls 26714->26718 26715->26716 26719 7ff6a43026f6 26715->26719 26716->26711 26716->26714 26717->26649 26717->26656 26718->26712 26720 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26719->26720 26721 7ff6a43026fb 26720->26721 26723 7ff6a432a3fd 26722->26723 26729 7ff6a432a412 26723->26729 26764 7ff6a432d61c 15 API calls abort 26723->26764 26725 7ff6a432a407 26765 7ff6a4327864 31 API calls _invalid_parameter_noinfo_noreturn 26725->26765 26727 7ff6a43222a0 _handle_error 8 API calls 26728 7ff6a4309af7 26727->26728 26728->26659 26729->26727 26732 7ff6a4302b8d 26730->26732 26733 7ff6a4302ba9 26730->26733 26731 7ff6a4302bbb 26731->26673 26732->26731 26766 7ff6a42fb9d4 100 API calls _com_raise_error 26732->26766 26733->26731 26735 7ff6a4302bc1 SetFilePointer 26733->26735 26735->26731 26736 7ff6a4302bde GetLastError 26735->26736 26736->26731 26737 7ff6a4302be8 26736->26737 26737->26731 26767 7ff6a42fb9d4 100 API calls _com_raise_error 26737->26767 26741 7ff6a43028b6 26739->26741 26743 7ff6a43028bd 26739->26743 26740 7ff6a43022e0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26740->26743 26741->26673 26743->26740 26743->26741 26768 7ff6a42fb8b4 100 API calls _com_raise_error 26743->26768 26769 7ff6a4302738 26744->26769 26747 7ff6a4302a87 26747->26673 26750 7ff6a430201e 26749->26750 26751 7ff6a430202a 26749->26751 26750->26751 26777 7ff6a4302090 26750->26777 26753->26641 26754->26696 26755->26696 26756->26696 26757->26690 26758->26694 26759->26677 26760->26685 26761->26683 26762->26687 26763->26643 26764->26725 26765->26729 26770 7ff6a4302749 _snwprintf 26769->26770 26771 7ff6a4302850 SetFilePointer 26770->26771 26775 7ff6a4302775 26770->26775 26774 7ff6a4302878 GetLastError 26771->26774 26771->26775 26772 7ff6a43222a0 _handle_error 8 API calls 26773 7ff6a43027dd 26772->26773 26773->26747 26776 7ff6a42fb9d4 100 API calls _com_raise_error 26773->26776 26774->26775 26775->26772 26778 7ff6a43020c2 26777->26778 26780 7ff6a43020aa 26777->26780 26779 7ff6a43020e6 26778->26779 26783 7ff6a42fb554 100 API calls 26778->26783 26779->26751 26780->26778 26781 7ff6a43020b6 FindCloseChangeNotification 26780->26781 26781->26778 26783->26779 26784->26432 26786 7ff6a432114f 26787 7ff6a4321082 26786->26787 26788 7ff6a4321880 _com_raise_error 14 API calls 26787->26788 26789 7ff6a43210c1 26788->26789 26790 7ff6a4316b50 GetClientRect CopyRect 26791 7ff6a4316bf9 26790->26791 26792 7ff6a43222a0 _handle_error 8 API calls 26791->26792 26793 7ff6a4316c08 26792->26793 26798 7ff6a4316c30 26799 7ff6a4316c54 26798->26799 26800 7ff6a4316c3d 26798->26800 26800->26799 26802 7ff6a4317dfc 26800->26802 26803 7ff6a4317e1b 26802->26803 26804 7ff6a4317e0c 26802->26804 26803->26799 26804->26803 26806 7ff6a4316e00 26804->26806 26809 7ff6a4316e3d 26806->26809 26835 7ff6a43170cf 26806->26835 26807 7ff6a43222a0 _handle_error 8 API calls 26808 7ff6a43170e0 26807->26808 26808->26803 26810 7ff6a42f129c 33 API calls 26809->26810 26811 7ff6a4316e74 26810->26811 26839 7ff6a4311374 26811->26839 26813 7ff6a4316ecb 26815 7ff6a42f2034 33 API calls 26813->26815 26814 7ff6a4316ea2 26814->26813 26816 7ff6a42f2034 33 API calls 26814->26816 26819 7ff6a4316eed 26815->26819 26816->26813 26817 7ff6a4316f11 26818 7ff6a4316fb1 26817->26818 26865 7ff6a4317344 33 API calls 26817->26865 26842 7ff6a4310f80 26818->26842 26819->26817 26822 7ff6a42f2034 33 API calls 26819->26822 26822->26817 26823 7ff6a4316fd4 26846 7ff6a4317e6c 26823->26846 26824 7ff6a42f1fa0 31 API calls 26824->26818 26825 7ff6a4316f2f memcpy_s 26825->26824 26838 7ff6a4317100 26825->26838 26827 7ff6a4316ff5 GlobalAlloc 26831 7ff6a4317026 26827->26831 26828 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26829 7ff6a4317106 26828->26829 26830 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26829->26830 26832 7ff6a431710c 26830->26832 26834 7ff6a431704b 26831->26834 26853 7ff6a4316c94 26831->26853 26834->26829 26834->26835 26836 7ff6a43170fb 26834->26836 26835->26807 26837 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26836->26837 26837->26838 26838->26828 26840 7ff6a4311396 26839->26840 26841 7ff6a43113a1 CompareStringW 26840->26841 26841->26814 26843 7ff6a4311197 26842->26843 26844 7ff6a4310fae 26842->26844 26843->26823 26844->26843 26845 7ff6a4310928 33 API calls 26844->26845 26845->26844 26847 7ff6a4317e9b 26846->26847 26848 7ff6a4317f53 26846->26848 26852 7ff6a4317ea7 memcpy_s 26847->26852 26866 7ff6a43165b8 33 API calls 2 library calls 26847->26866 26867 7ff6a42f704c 47 API calls memcpy_s 26848->26867 26851 7ff6a4317f58 26852->26827 26860 7ff6a4316cde 26853->26860 26854 7ff6a4316dd6 26855 7ff6a43222a0 _handle_error 8 API calls 26854->26855 26856 7ff6a4316dea 26855->26856 26856->26834 26857 7ff6a4316d7d 26868 7ff6a4317820 34 API calls 26857->26868 26859 7ff6a4316d89 26861 7ff6a4316db0 ShowWindow 26859->26861 26860->26854 26860->26857 26869 7ff6a42f2520 26861->26869 26865->26825 26866->26852 26867->26851 26868->26859 26870 7ff6a42f252a SetDlgItemTextW 26869->26870 26871 7ff6a42f2527 26869->26871 26872 7ff6a435e2e0 26870->26872 26871->26870 26873 7ff6a4317c90 26874 7ff6a4317cb9 SetWindowLongPtrW 26873->26874 26875 7ff6a4317cd3 NtdllDefWindowProc_W 26873->26875 26878 7ff6a4317110 26874->26878 26877 7ff6a435e260 26875->26877 26879 7ff6a4322150 33 API calls 26878->26879 26880 7ff6a431713d 26879->26880 26881 7ff6a4317212 26880->26881 26890 7ff6a4317d00 26880->26890 26881->26875 26883 7ff6a43171b8 26883->26881 26884 7ff6a4317279 26883->26884 26885 7ff6a431723f 26883->26885 26894 7ff6a4304de4 26884->26894 26886 7ff6a4304de4 35 API calls 26885->26886 26888 7ff6a4317244 26886->26888 26901 7ff6a43051f0 SysFreeString 26888->26901 26893 7ff6a4317d2d 26890->26893 26891 7ff6a43222a0 _handle_error 8 API calls 26892 7ff6a4317ded 26891->26892 26892->26883 26893->26891 26895 7ff6a4322150 33 API calls 26894->26895 26896 7ff6a4304e03 26895->26896 26897 7ff6a4304e10 SysAllocString 26896->26897 26898 7ff6a4304e2d 26896->26898 26897->26898 26899 7ff6a4304e3e 26898->26899 26900 7ff6a430521a SysFreeString 26898->26900 26899->26888 26900->26899 26901->26881 26902 7ff6a4322070 26903 7ff6a4322086 _com_error::_com_error 26902->26903 26908 7ff6a4323ff8 26903->26908 26905 7ff6a4322097 26906 7ff6a4321880 _com_raise_error 14 API calls 26905->26906 26907 7ff6a43220e3 26906->26907 26909 7ff6a4324017 26908->26909 26910 7ff6a4324034 RtlPcToFileHeader 26908->26910 26909->26910 26911 7ff6a432405b RaiseException 26910->26911 26912 7ff6a432404c 26910->26912 26911->26905 26912->26911 26913 7ff6a431b110 27242 7ff6a42f255c 26913->27242 26915 7ff6a431b15b 26916 7ff6a431b16f 26915->26916 26917 7ff6a431be13 26915->26917 27059 7ff6a431b18c 26915->27059 26919 7ff6a431b25b 26916->26919 26920 7ff6a431b17f 26916->26920 26916->27059 27520 7ff6a431f310 26917->27520 26923 7ff6a431b311 26919->26923 26927 7ff6a431b275 26919->26927 26933 7ff6a430aaa0 48 API calls 26920->26933 26920->27059 26922 7ff6a43222a0 _handle_error 8 API calls 26926 7ff6a431c2d0 26922->26926 27251 7ff6a42f22bc GetDlgItem 26923->27251 26924 7ff6a431be49 26929 7ff6a431be70 GetDlgItem IsDlgButtonChecked 26924->26929 26930 7ff6a431be55 SendDlgItemMessageW 26924->26930 26925 7ff6a431be3a IsDlgButtonChecked 26925->26924 26931 7ff6a430aaa0 48 API calls 26927->26931 26934 7ff6a430629c 35 API calls 26929->26934 26930->26929 26936 7ff6a431b293 SetDlgItemTextW 26931->26936 26938 7ff6a431b1b6 26933->26938 26935 7ff6a431bec7 GetDlgItem 26934->26935 26940 7ff6a42f2520 SetDlgItemTextW 26935->26940 26941 7ff6a431b2a6 26936->26941 26937 7ff6a431b331 26963 7ff6a42f1fa0 31 API calls 26937->26963 27588 7ff6a42f1ec4 34 API calls _handle_error 26938->27588 26944 7ff6a431befa 26940->26944 26949 7ff6a431b2c0 GetMessageW 26941->26949 26941->27059 26942 7ff6a431b388 GetDlgItem 26945 7ff6a431b3cf SetFocus 26942->26945 26946 7ff6a431b3a2 IsDlgButtonChecked IsDlgButtonChecked 26942->26946 26943 7ff6a431b1c6 26947 7ff6a431b1dc 26943->26947 26952 7ff6a42f250c SetDlgItemTextW 26943->26952 27539 7ff6a4319168 GetClassNameW 26944->27539 26950 7ff6a431b472 26945->26950 26951 7ff6a431b3e5 26945->26951 26946->26945 26965 7ff6a431c2e3 26947->26965 26947->27059 26954 7ff6a431b2de IsDialogMessageW 26949->26954 26949->27059 27265 7ff6a42f8d04 26950->27265 26957 7ff6a430aaa0 48 API calls 26951->26957 26952->26947 26954->26941 26959 7ff6a431b2f3 TranslateMessage DispatchMessageW 26954->26959 26956 7ff6a431b375 26956->26937 26961 7ff6a430aaa0 48 API calls 26956->26961 26962 7ff6a431b3ef 26957->26962 26959->26941 26960 7ff6a431b4ac 27275 7ff6a431ef00 26960->27275 26967 7ff6a431bc56 SetDlgItemTextW 26961->26967 26977 7ff6a42f129c 33 API calls 26962->26977 26963->27059 26968 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26965->26968 26971 7ff6a430aaa0 48 API calls 26967->26971 26972 7ff6a431c2e8 26968->26972 26969 7ff6a431bf4e 26974 7ff6a431bf8a 26969->26974 26979 7ff6a430aaa0 48 API calls 26969->26979 26976 7ff6a431bc88 26971->26976 26983 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26972->26983 26973 7ff6a431ce08 165 API calls 26973->26969 26981 7ff6a431ce08 165 API calls 26974->26981 27050 7ff6a431c0d5 26974->27050 26975 7ff6a430aaa0 48 API calls 26980 7ff6a431b4d5 26975->26980 26988 7ff6a42f129c 33 API calls 26976->26988 26978 7ff6a431b418 26977->26978 26982 7ff6a431f024 25 API calls 26978->26982 26984 7ff6a431bf61 SetDlgItemTextW 26979->26984 26985 7ff6a430da14 48 API calls 26980->26985 26987 7ff6a431bfa5 26981->26987 26989 7ff6a431b425 26982->26989 26990 7ff6a431c2ee 26983->26990 26991 7ff6a430aaa0 48 API calls 26984->26991 26986 7ff6a431b4e8 26985->26986 27289 7ff6a431f024 26986->27289 26993 7ff6a431bfee 26987->26993 27564 7ff6a4317aa8 ShowWindow 26987->27564 27015 7ff6a431bcb1 26988->27015 26989->26972 27007 7ff6a431b468 26989->27007 26997 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 26990->26997 26994 7ff6a431bf7c SetDlgItemTextW 26991->26994 26998 7ff6a431c0c7 26993->26998 26999 7ff6a431bffa SetForegroundWindow 26993->26999 26994->26974 26996 7ff6a431bd5a 27006 7ff6a430aaa0 48 API calls 26996->27006 27009 7ff6a431c2f4 26997->27009 27008 7ff6a431ce08 165 API calls 26998->27008 26999->26998 27004 7ff6a431c00f 26999->27004 27000 7ff6a431c280 27002 7ff6a431c2a8 27000->27002 27014 7ff6a430aaa0 48 API calls 27000->27014 27001 7ff6a42f1fa0 31 API calls 27013 7ff6a431b506 27001->27013 27016 7ff6a42f1fa0 31 API calls 27002->27016 27004->26998 27022 7ff6a431ce08 165 API calls 27004->27022 27005 7ff6a431b56c 27018 7ff6a431b59a 27005->27018 27589 7ff6a4303268 27005->27589 27020 7ff6a431bd64 27006->27020 27007->27005 27304 7ff6a431fa00 27007->27304 27008->27050 27025 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27009->27025 27010 7ff6a431c1dc 27019 7ff6a4317aa8 47 API calls 27010->27019 27011 7ff6a431c218 27011->27000 27012 7ff6a431c278 IsDlgButtonChecked 27011->27012 27012->27000 27013->26990 27013->27007 27021 7ff6a431c299 SetDlgItemTextW 27014->27021 27015->26996 27026 7ff6a42f129c 33 API calls 27015->27026 27016->27059 27317 7ff6a4302f18 27018->27317 27023 7ff6a431c20d 27019->27023 27037 7ff6a42f129c 33 API calls 27020->27037 27021->27002 27027 7ff6a431c02d 27022->27027 27029 7ff6a42f1fa0 31 API calls 27023->27029 27031 7ff6a431c2fa 27025->27031 27032 7ff6a431bcff 27026->27032 27027->26998 27033 7ff6a431c03a DialogBoxParamW 27027->27033 27029->27011 27042 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27031->27042 27039 7ff6a430aaa0 48 API calls 27032->27039 27033->26998 27052 7ff6a431c062 27033->27052 27035 7ff6a431b5cc 27329 7ff6a4307f84 27035->27329 27036 7ff6a431b5b4 GetLastError 27036->27035 27041 7ff6a431bd8d 27037->27041 27038 7ff6a42f129c 33 API calls 27038->27050 27043 7ff6a431bd0a 27039->27043 27040 7ff6a431b58e 27592 7ff6a4319d10 12 API calls _handle_error 27040->27592 27055 7ff6a42f129c 33 API calls 27041->27055 27046 7ff6a431c300 27042->27046 27048 7ff6a42f1150 33 API calls 27043->27048 27056 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27046->27056 27047 7ff6a430aaa0 48 API calls 27047->27050 27051 7ff6a431bd22 27048->27051 27049 7ff6a431b5de 27053 7ff6a431b5e5 GetLastError 27049->27053 27054 7ff6a431b5f4 27049->27054 27050->27010 27050->27011 27050->27038 27050->27047 27058 7ff6a42f1150 33 API calls 27050->27058 27073 7ff6a42f2034 33 API calls 27050->27073 27085 7ff6a42f1fa0 31 API calls 27050->27085 27062 7ff6a42f2034 33 API calls 27051->27062 27052->27046 27052->27059 27053->27054 27063 7ff6a431b60b GetTickCount 27054->27063 27066 7ff6a431b6ab 27054->27066 27146 7ff6a431b69c 27054->27146 27060 7ff6a431bdce 27055->27060 27057 7ff6a431c306 27056->27057 27061 7ff6a42f255c 62 API calls 27057->27061 27058->27050 27059->26922 27070 7ff6a42f1fa0 31 API calls 27060->27070 27072 7ff6a431c364 27061->27072 27064 7ff6a431bd3e 27062->27064 27332 7ff6a42f4228 27063->27332 27074 7ff6a42f1fa0 31 API calls 27064->27074 27065 7ff6a431b9d0 27065->26937 27601 7ff6a42fbd1c 33 API calls 27065->27601 27066->27065 27075 7ff6a4306414 34 API calls 27066->27075 27069 7ff6a431baf9 27091 7ff6a430aaa0 48 API calls 27069->27091 27077 7ff6a431bdf8 27070->27077 27079 7ff6a431c409 GetDlgItem SetFocus 27072->27079 27105 7ff6a431c368 27072->27105 27122 7ff6a431c37d 27072->27122 27073->27050 27080 7ff6a431bd4c 27074->27080 27081 7ff6a431b6ce 27075->27081 27083 7ff6a42f1fa0 31 API calls 27077->27083 27078 7ff6a431b9f5 27602 7ff6a42f1150 27078->27602 27089 7ff6a431c43a 27079->27089 27087 7ff6a42f1fa0 31 API calls 27080->27087 27593 7ff6a430b8d0 103 API calls 27081->27593 27082 7ff6a431b63a 27090 7ff6a42f1fa0 31 API calls 27082->27090 27092 7ff6a431be03 27083->27092 27085->27050 27086 7ff6a43222a0 _handle_error 8 API calls 27094 7ff6a431ca17 27086->27094 27087->26996 27102 7ff6a42f129c 33 API calls 27089->27102 27096 7ff6a431b648 27090->27096 27097 7ff6a431bb27 SetDlgItemTextW 27091->27097 27098 7ff6a42f1fa0 31 API calls 27092->27098 27093 7ff6a431ba0a 27099 7ff6a430aaa0 48 API calls 27093->27099 27095 7ff6a431b6e8 27101 7ff6a430da14 48 API calls 27095->27101 27342 7ff6a43020f4 27096->27342 27103 7ff6a42f2534 27097->27103 27098->26937 27104 7ff6a431ba17 27099->27104 27100 7ff6a431c3b4 SendDlgItemMessageW 27100->27105 27106 7ff6a431b72a GetCommandLineW 27101->27106 27107 7ff6a431c44c 27102->27107 27108 7ff6a431bb45 SetDlgItemTextW GetDlgItem 27103->27108 27109 7ff6a42f1150 33 API calls 27104->27109 27105->27086 27110 7ff6a431b7e9 27106->27110 27111 7ff6a431b7cf 27106->27111 27606 7ff6a4308098 33 API calls 27107->27606 27114 7ff6a431bb70 GetWindowLongPtrW SetWindowLongPtrW 27108->27114 27115 7ff6a431bb93 27108->27115 27116 7ff6a431ba2a 27109->27116 27594 7ff6a431aad4 33 API calls _handle_error 27110->27594 27131 7ff6a42f20b0 33 API calls 27111->27131 27114->27115 27358 7ff6a431ce08 27115->27358 27121 7ff6a42f1fa0 31 API calls 27116->27121 27118 7ff6a431c460 27124 7ff6a42f250c SetDlgItemTextW 27118->27124 27130 7ff6a431ba35 27121->27130 27122->27100 27122->27105 27123 7ff6a431b7fa 27595 7ff6a431aad4 33 API calls _handle_error 27123->27595 27126 7ff6a431c474 27124->27126 27137 7ff6a431c4a6 SendDlgItemMessageW FindFirstFileW 27126->27137 27127 7ff6a431b675 GetLastError 27128 7ff6a431b684 27127->27128 27133 7ff6a4302004 101 API calls 27128->27133 27135 7ff6a42f1fa0 31 API calls 27130->27135 27131->27110 27132 7ff6a431b80b 27596 7ff6a431aad4 33 API calls _handle_error 27132->27596 27138 7ff6a431b691 27133->27138 27134 7ff6a431ce08 165 API calls 27139 7ff6a431bbbc 27134->27139 27140 7ff6a431ba43 27135->27140 27142 7ff6a431c4fb 27137->27142 27234 7ff6a431c984 27137->27234 27143 7ff6a42f1fa0 31 API calls 27138->27143 27508 7ff6a431f8f4 27139->27508 27151 7ff6a430aaa0 48 API calls 27140->27151 27141 7ff6a431b81c 27597 7ff6a430b970 103 API calls 27141->27597 27153 7ff6a430aaa0 48 API calls 27142->27153 27143->27146 27146->27066 27146->27069 27148 7ff6a431b833 27598 7ff6a431fb5c 33 API calls 27148->27598 27149 7ff6a431ca01 27149->27105 27150 7ff6a431ce08 165 API calls 27163 7ff6a431bbea 27150->27163 27155 7ff6a431ba5b 27151->27155 27157 7ff6a431c51e 27153->27157 27154 7ff6a431ca29 27158 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27154->27158 27164 7ff6a42f129c 33 API calls 27155->27164 27156 7ff6a431b852 CreateFileMappingW 27159 7ff6a431b891 MapViewOfFile 27156->27159 27160 7ff6a431b8d3 ShellExecuteExW 27156->27160 27165 7ff6a42f129c 33 API calls 27157->27165 27161 7ff6a431ca2e 27158->27161 27599 7ff6a43235c0 27159->27599 27171 7ff6a431b8f4 27160->27171 27166 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27161->27166 27163->26956 27167 7ff6a431ce08 165 API calls 27163->27167 27176 7ff6a431ba84 27164->27176 27168 7ff6a431c54d 27165->27168 27169 7ff6a431ca34 27166->27169 27167->26956 27170 7ff6a42f1150 33 API calls 27168->27170 27175 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27169->27175 27172 7ff6a431c568 27170->27172 27173 7ff6a431b916 WaitForInputIdle 27171->27173 27174 7ff6a431b943 27171->27174 27607 7ff6a42fe174 33 API calls 2 library calls 27172->27607 27179 7ff6a431b92b 27173->27179 27184 7ff6a431b95c UnmapViewOfFile CloseHandle 27174->27184 27185 7ff6a431b96f 27174->27185 27180 7ff6a431ca3a 27175->27180 27176->27031 27177 7ff6a431bada 27176->27177 27181 7ff6a42f1fa0 31 API calls 27177->27181 27179->27174 27183 7ff6a431b931 Sleep 27179->27183 27188 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27180->27188 27181->26937 27182 7ff6a431c57f 27186 7ff6a42f1fa0 31 API calls 27182->27186 27183->27174 27183->27179 27184->27185 27185->27009 27187 7ff6a431b9a5 27185->27187 27189 7ff6a431c58c 27186->27189 27191 7ff6a42f1fa0 31 API calls 27187->27191 27190 7ff6a431ca40 27188->27190 27189->27161 27193 7ff6a42f1fa0 31 API calls 27189->27193 27194 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27190->27194 27192 7ff6a431b9c2 27191->27192 27195 7ff6a42f1fa0 31 API calls 27192->27195 27196 7ff6a431c5f3 27193->27196 27197 7ff6a431ca46 27194->27197 27195->27065 27198 7ff6a42f250c SetDlgItemTextW 27196->27198 27199 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27197->27199 27200 7ff6a431c607 FindClose 27198->27200 27201 7ff6a431ca4c 27199->27201 27202 7ff6a431c717 SendDlgItemMessageW 27200->27202 27203 7ff6a431c623 27200->27203 27204 7ff6a431c74b 27202->27204 27608 7ff6a431a24c 10 API calls _handle_error 27203->27608 27207 7ff6a430aaa0 48 API calls 27204->27207 27206 7ff6a431c646 27208 7ff6a430aaa0 48 API calls 27206->27208 27209 7ff6a431c758 27207->27209 27210 7ff6a431c64f 27208->27210 27212 7ff6a42f129c 33 API calls 27209->27212 27211 7ff6a430da14 48 API calls 27210->27211 27215 7ff6a431c66c memcpy_s 27211->27215 27214 7ff6a431c787 27212->27214 27213 7ff6a42f1fa0 31 API calls 27216 7ff6a431c703 27213->27216 27217 7ff6a42f1150 33 API calls 27214->27217 27215->27169 27215->27213 27218 7ff6a42f250c SetDlgItemTextW 27216->27218 27219 7ff6a431c7a2 27217->27219 27218->27202 27609 7ff6a42fe174 33 API calls 2 library calls 27219->27609 27221 7ff6a431c7b9 27222 7ff6a42f1fa0 31 API calls 27221->27222 27223 7ff6a431c7c5 memcpy_s 27222->27223 27224 7ff6a42f1fa0 31 API calls 27223->27224 27225 7ff6a431c7ff 27224->27225 27226 7ff6a42f1fa0 31 API calls 27225->27226 27227 7ff6a431c80c 27226->27227 27227->27180 27228 7ff6a42f1fa0 31 API calls 27227->27228 27229 7ff6a431c873 27228->27229 27230 7ff6a42f250c SetDlgItemTextW 27229->27230 27231 7ff6a431c887 27230->27231 27231->27234 27610 7ff6a431a24c 10 API calls _handle_error 27231->27610 27233 7ff6a431c8b2 27235 7ff6a430aaa0 48 API calls 27233->27235 27234->27105 27234->27149 27234->27154 27234->27197 27236 7ff6a431c8bc 27235->27236 27237 7ff6a430da14 48 API calls 27236->27237 27239 7ff6a431c8d9 memcpy_s 27237->27239 27238 7ff6a42f1fa0 31 API calls 27240 7ff6a431c970 27238->27240 27239->27190 27239->27238 27241 7ff6a42f250c SetDlgItemTextW 27240->27241 27241->27234 27243 7ff6a42f256a 27242->27243 27244 7ff6a42f25d0 27242->27244 27243->27244 27611 7ff6a430a46c 27243->27611 27244->26915 27247 7ff6a42f2596 GetParent 27247->27244 27248 7ff6a42f25a4 GetDlgItem 27247->27248 27248->27244 27249 7ff6a42f25b7 27248->27249 27249->27244 27250 7ff6a42f25be SetDlgItemTextW 27249->27250 27250->27244 27252 7ff6a42f2334 27251->27252 27253 7ff6a42f22fc 27251->27253 27660 7ff6a42f23f8 GetWindowTextLengthW 27252->27660 27255 7ff6a42f129c 33 API calls 27253->27255 27256 7ff6a42f232a memcpy_s 27255->27256 27257 7ff6a42f1fa0 31 API calls 27256->27257 27260 7ff6a42f2389 27256->27260 27257->27260 27258 7ff6a42f23c8 27259 7ff6a43222a0 _handle_error 8 API calls 27258->27259 27261 7ff6a42f23dd 27259->27261 27260->27258 27262 7ff6a42f23f0 27260->27262 27261->26937 27261->26942 27261->26956 27263 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27262->27263 27264 7ff6a42f23f5 27263->27264 27267 7ff6a42f8d34 27265->27267 27273 7ff6a42f8de8 27265->27273 27269 7ff6a42f8de3 27267->27269 27270 7ff6a42f8d91 27267->27270 27272 7ff6a42f8d42 memcpy_s 27267->27272 27672 7ff6a42f1f80 33 API calls 3 library calls 27269->27672 27270->27272 27274 7ff6a4322150 33 API calls 27270->27274 27272->26960 27673 7ff6a42f2004 33 API calls std::_Xinvalid_argument 27273->27673 27274->27272 27279 7ff6a431ef30 27275->27279 27276 7ff6a431ef57 27277 7ff6a43222a0 _handle_error 8 API calls 27276->27277 27278 7ff6a431b4b7 27277->27278 27278->26975 27279->27276 27674 7ff6a42fbd1c 33 API calls 27279->27674 27281 7ff6a431efaa 27282 7ff6a42f1150 33 API calls 27281->27282 27283 7ff6a431efbf 27282->27283 27284 7ff6a42f1fa0 31 API calls 27283->27284 27286 7ff6a431efcf memcpy_s 27283->27286 27284->27286 27285 7ff6a42f1fa0 31 API calls 27287 7ff6a431eff6 27285->27287 27286->27285 27288 7ff6a42f1fa0 31 API calls 27287->27288 27288->27276 27675 7ff6a431ad9c PeekMessageW 27289->27675 27292 7ff6a431f0c3 IsDlgButtonChecked IsDlgButtonChecked 27295 7ff6a431f109 27292->27295 27296 7ff6a431f124 IsDlgButtonChecked 27292->27296 27293 7ff6a431f075 27680 7ff6a43168bc 27293->27680 27295->27296 27298 7ff6a431f146 IsDlgButtonChecked IsDlgButtonChecked 27296->27298 27299 7ff6a431f143 27296->27299 27300 7ff6a431f198 IsDlgButtonChecked 27298->27300 27301 7ff6a431f173 IsDlgButtonChecked 27298->27301 27299->27298 27302 7ff6a43222a0 _handle_error 8 API calls 27300->27302 27301->27300 27303 7ff6a431b4f8 27302->27303 27303->27001 27305 7ff6a431fa37 27304->27305 27313 7ff6a431fb2d 27304->27313 27305->27313 27683 7ff6a431cd78 27305->27683 27306 7ff6a43222a0 _handle_error 8 API calls 27307 7ff6a431fb3e 27306->27307 27307->27005 27311 7ff6a431faaa RegSetValueExW RegCloseKey 27312 7ff6a431faf6 27311->27312 27312->27313 27314 7ff6a431fb53 27312->27314 27313->27306 27315 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27314->27315 27316 7ff6a431fb58 27315->27316 27318 7ff6a430305d 27317->27318 27325 7ff6a4302f4e 27317->27325 27319 7ff6a43222a0 _handle_error 8 API calls 27318->27319 27320 7ff6a4303073 27319->27320 27320->27035 27320->27036 27321 7ff6a4303037 27321->27318 27322 7ff6a4303644 56 API calls 27321->27322 27322->27318 27323 7ff6a42f129c 33 API calls 27323->27325 27325->27321 27325->27323 27326 7ff6a4303088 27325->27326 27687 7ff6a4303644 27325->27687 27327 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27326->27327 27328 7ff6a430308d 27327->27328 27330 7ff6a4307f92 SetCurrentDirectoryW 27329->27330 27331 7ff6a4307f8f 27329->27331 27330->27049 27331->27330 27333 7ff6a42f4255 27332->27333 27334 7ff6a42f426a 27333->27334 27335 7ff6a42f129c 33 API calls 27333->27335 27336 7ff6a43222a0 _handle_error 8 API calls 27334->27336 27335->27334 27337 7ff6a42f42a1 27336->27337 27338 7ff6a42f3c84 27337->27338 27339 7ff6a42f3cab 27338->27339 27721 7ff6a42f710c 27339->27721 27341 7ff6a42f3cbb memcpy_s 27341->27082 27345 7ff6a430212a 27342->27345 27343 7ff6a430215e 27346 7ff6a43069cc 49 API calls 27343->27346 27354 7ff6a430223f 27343->27354 27344 7ff6a4302171 CreateFileW 27344->27343 27345->27343 27345->27344 27349 7ff6a43021c9 27346->27349 27347 7ff6a430226f 27348 7ff6a43222a0 _handle_error 8 API calls 27347->27348 27351 7ff6a4302284 27348->27351 27352 7ff6a43021cd CreateFileW 27349->27352 27353 7ff6a4302206 27349->27353 27350 7ff6a42f20b0 33 API calls 27350->27347 27351->27127 27351->27128 27352->27353 27353->27354 27355 7ff6a4302298 27353->27355 27354->27347 27354->27350 27356 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27355->27356 27357 7ff6a430229d 27356->27357 27733 7ff6a431a988 27358->27733 27360 7ff6a431d16e 27361 7ff6a42f1fa0 31 API calls 27360->27361 27362 7ff6a431d177 27361->27362 27363 7ff6a43222a0 _handle_error 8 API calls 27362->27363 27365 7ff6a431bbab 27363->27365 27364 7ff6a430d1e8 33 API calls 27484 7ff6a431ce83 memcpy_s 27364->27484 27365->27134 27366 7ff6a431ee7a 27872 7ff6a42f704c 47 API calls memcpy_s 27366->27872 27367 7ff6a42f129c 33 API calls 27367->27484 27370 7ff6a431ee80 27873 7ff6a42f704c 47 API calls memcpy_s 27370->27873 27373 7ff6a431ee86 27376 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27373->27376 27374 7ff6a431ee6e 27375 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27374->27375 27377 7ff6a431ee74 27375->27377 27378 7ff6a431ee8c 27376->27378 27871 7ff6a42f704c 47 API calls memcpy_s 27377->27871 27381 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27378->27381 27383 7ff6a431ee92 27381->27383 27382 7ff6a431edca 27384 7ff6a431ee52 27382->27384 27385 7ff6a42f20b0 33 API calls 27382->27385 27388 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27383->27388 27869 7ff6a42f1f80 33 API calls 3 library calls 27384->27869 27391 7ff6a431edf7 27385->27391 27386 7ff6a42f13a4 33 API calls 27392 7ff6a431dbba GetTempPathW 27386->27392 27387 7ff6a431ee68 27870 7ff6a42f2004 33 API calls std::_Xinvalid_argument 27387->27870 27394 7ff6a431ee98 27388->27394 27390 7ff6a42f1fa0 31 API calls 27390->27484 27868 7ff6a431ab68 33 API calls 3 library calls 27391->27868 27392->27484 27393 7ff6a430629c 35 API calls 27393->27484 27401 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27394->27401 27398 7ff6a431ee0d 27407 7ff6a42f1fa0 31 API calls 27398->27407 27411 7ff6a431ee24 memcpy_s 27398->27411 27399 7ff6a42f2520 SetDlgItemTextW 27404 7ff6a431d640 SetDlgItemTextW 27399->27404 27405 7ff6a431ee9e 27401->27405 27403 7ff6a432bb0c 43 API calls 27403->27484 27404->27484 27409 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27405->27409 27406 7ff6a431e773 27406->27384 27406->27387 27410 7ff6a4322150 33 API calls 27406->27410 27418 7ff6a431e7bb memcpy_s 27406->27418 27407->27411 27408 7ff6a42f1fa0 31 API calls 27408->27384 27412 7ff6a431eea4 27409->27412 27410->27418 27411->27408 27417 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27412->27417 27413 7ff6a431a988 33 API calls 27413->27484 27415 7ff6a431eeec 27876 7ff6a42f2004 33 API calls std::_Xinvalid_argument 27415->27876 27416 7ff6a4303ef0 54 API calls 27416->27484 27423 7ff6a431eeaa 27417->27423 27428 7ff6a42f20b0 33 API calls 27418->27428 27473 7ff6a431eb0f 27418->27473 27420 7ff6a42f1fa0 31 API calls 27420->27382 27421 7ff6a431eef8 27878 7ff6a42f2004 33 API calls std::_Xinvalid_argument 27421->27878 27422 7ff6a42f4228 33 API calls 27422->27484 27434 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27423->27434 27424 7ff6a431eef2 27877 7ff6a42f1f80 33 API calls 3 library calls 27424->27877 27425 7ff6a42f20b0 33 API calls 27425->27484 27427 7ff6a431eee6 27875 7ff6a42f1f80 33 API calls 3 library calls 27427->27875 27435 7ff6a431e8e3 27428->27435 27431 7ff6a42f2674 31 API calls 27431->27484 27433 7ff6a431ebaa 27433->27415 27433->27427 27442 7ff6a431ebf2 memcpy_s 27433->27442 27450 7ff6a431ecbb memcpy_s 27433->27450 27452 7ff6a4322150 33 API calls 27433->27452 27441 7ff6a431eeb0 27434->27441 27443 7ff6a431eee0 27435->27443 27451 7ff6a42f129c 33 API calls 27435->27451 27438 7ff6a431ecc0 27438->27421 27438->27424 27438->27450 27455 7ff6a4322150 33 API calls 27438->27455 27439 7ff6a42fe174 33 API calls 27439->27484 27440 7ff6a4303cf4 51 API calls 27440->27484 27456 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27441->27456 27774 7ff6a431f460 27442->27774 27874 7ff6a42f704c 47 API calls memcpy_s 27443->27874 27445 7ff6a431d569 GetDlgItem 27453 7ff6a42f2520 SetDlgItemTextW 27445->27453 27446 7ff6a430dba8 33 API calls 27446->27484 27448 7ff6a4319948 31 API calls 27448->27484 27450->27420 27457 7ff6a431e926 27451->27457 27452->27442 27458 7ff6a431d588 IsDlgButtonChecked 27453->27458 27455->27450 27460 7ff6a431eeb6 27456->27460 27864 7ff6a430d1e8 27457->27864 27458->27484 27463 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27460->27463 27462 7ff6a4305b20 53 API calls 27462->27484 27465 7ff6a431eebc 27463->27465 27464 7ff6a431d5bc IsDlgButtonChecked 27464->27484 27472 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27465->27472 27468 7ff6a4305a68 33 API calls 27468->27484 27470 7ff6a431e951 27470->27473 27483 7ff6a431eec8 27470->27483 27487 7ff6a431eece 27470->27487 27494 7ff6a42f1fa0 31 API calls 27470->27494 27495 7ff6a42f129c 33 API calls 27470->27495 27497 7ff6a4311344 CompareStringW 27470->27497 27500 7ff6a430d1e8 33 API calls 27470->27500 27475 7ff6a431eec2 27472->27475 27473->27433 27473->27438 27476 7ff6a431eeda 27473->27476 27493 7ff6a431eed4 27473->27493 27474 7ff6a42f8d04 33 API calls 27474->27484 27480 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27475->27480 27479 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27476->27479 27477 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27477->27476 27478 7ff6a42f1744 33 API calls 27478->27484 27479->27443 27480->27483 27481 7ff6a43057e0 33 API calls 27481->27484 27482 7ff6a4303268 51 API calls 27482->27484 27485 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27483->27485 27484->27360 27484->27364 27484->27366 27484->27367 27484->27370 27484->27373 27484->27374 27484->27377 27484->27378 27484->27382 27484->27383 27484->27386 27484->27390 27484->27393 27484->27394 27484->27399 27484->27403 27484->27405 27484->27406 27484->27412 27484->27413 27484->27416 27484->27422 27484->27423 27484->27425 27484->27431 27484->27439 27484->27440 27484->27441 27484->27446 27484->27448 27484->27460 27484->27462 27484->27464 27484->27465 27484->27468 27484->27474 27484->27475 27484->27478 27484->27481 27484->27482 27486 7ff6a42f250c SetDlgItemTextW 27484->27486 27488 7ff6a4307db4 47 API calls 27484->27488 27489 7ff6a42f1150 33 API calls 27484->27489 27496 7ff6a4311374 CompareStringW 27484->27496 27499 7ff6a430327c 51 API calls 27484->27499 27501 7ff6a431daa1 MoveFileW 27484->27501 27505 7ff6a4302f18 56 API calls 27484->27505 27506 7ff6a42f2034 33 API calls 27484->27506 27737 7ff6a4311344 CompareStringW 27484->27737 27738 7ff6a431a3c0 27484->27738 27813 7ff6a430cf60 35 API calls _invalid_parameter_noinfo_noreturn 27484->27813 27814 7ff6a4319534 33 API calls Concurrency::cancel_current_task 27484->27814 27815 7ff6a4320604 31 API calls _invalid_parameter_noinfo_noreturn 27484->27815 27816 7ff6a42fdf5c 47 API calls memcpy_s 27484->27816 27817 7ff6a431a7b4 27484->27817 27835 7ff6a4319498 33 API calls 27484->27835 27836 7ff6a431ab68 33 API calls 3 library calls 27484->27836 27837 7ff6a4307328 33 API calls 2 library calls 27484->27837 27838 7ff6a4304048 33 API calls 27484->27838 27839 7ff6a4306570 33 API calls 3 library calls 27484->27839 27840 7ff6a430728c 27484->27840 27844 7ff6a430317c 27484->27844 27858 7ff6a4303e60 FindClose 27484->27858 27859 7ff6a4319c50 47 API calls 27484->27859 27860 7ff6a4318758 51 API calls 3 library calls 27484->27860 27861 7ff6a431aad4 33 API calls _handle_error 27484->27861 27862 7ff6a4305ac8 CompareStringW 27484->27862 27863 7ff6a4307e70 47 API calls 27484->27863 27485->27487 27486->27484 27491 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27487->27491 27488->27484 27489->27484 27491->27493 27493->27477 27494->27470 27495->27470 27496->27484 27497->27470 27499->27484 27500->27470 27502 7ff6a431daf0 27501->27502 27503 7ff6a431dad5 MoveFileExW 27501->27503 27502->27484 27504 7ff6a42f1fa0 31 API calls 27502->27504 27503->27502 27504->27502 27505->27484 27506->27484 27509 7ff6a431f923 27508->27509 27510 7ff6a42f20b0 33 API calls 27509->27510 27511 7ff6a431f939 27510->27511 27512 7ff6a431f96e 27511->27512 27513 7ff6a42f20b0 33 API calls 27511->27513 27888 7ff6a42fe35c 27512->27888 27513->27512 27515 7ff6a431f9cb 27908 7ff6a42fe7b8 27515->27908 27517 7ff6a431f9d6 27518 7ff6a43222a0 _handle_error 8 API calls 27517->27518 27519 7ff6a431bbd2 27518->27519 27519->27150 27521 7ff6a431841c 4 API calls 27520->27521 27522 7ff6a431f33f 27521->27522 27523 7ff6a431f437 27522->27523 27524 7ff6a431f347 GetWindow 27522->27524 27525 7ff6a43222a0 _handle_error 8 API calls 27523->27525 27526 7ff6a431f362 27524->27526 27527 7ff6a431be1b 27525->27527 27526->27523 27528 7ff6a431f36e GetClassNameW 27526->27528 27530 7ff6a431f397 GetWindowLongPtrW 27526->27530 27531 7ff6a431f416 GetWindow 27526->27531 27527->26924 27527->26925 28916 7ff6a4311344 CompareStringW 27528->28916 27530->27531 27532 7ff6a431f3a9 IsDlgButtonChecked 27530->27532 27531->27523 27531->27526 27532->27531 27533 7ff6a431f3c5 GetObjectW 27532->27533 28917 7ff6a4318484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27533->28917 27535 7ff6a431f3e1 27536 7ff6a431844c 4 API calls 27535->27536 28918 7ff6a4318d74 15 API calls _handle_error 27535->28918 27536->27535 27538 7ff6a431f3f9 IsDlgButtonChecked 27538->27526 27540 7ff6a43191c8 27539->27540 27541 7ff6a431919b 27539->27541 27543 7ff6a43191db 27540->27543 27544 7ff6a43191cd SHAutoComplete 27540->27544 28919 7ff6a4311344 CompareStringW 27541->28919 27546 7ff6a43222a0 _handle_error 8 API calls 27543->27546 27544->27543 27545 7ff6a43191ac 27545->27540 27547 7ff6a43191b0 FindWindowExW 27545->27547 27548 7ff6a43191eb 27546->27548 27547->27540 27549 7ff6a431a320 27548->27549 27550 7ff6a431a330 _snwprintf 27549->27550 27551 7ff6a42f2950 35 API calls 27550->27551 27552 7ff6a431a35c 27551->27552 28920 7ff6a42f3b74 27552->28920 27555 7ff6a431a382 27558 7ff6a42f3378 157 API calls 27555->27558 27556 7ff6a431a374 27557 7ff6a42f2c54 109 API calls 27556->27557 27561 7ff6a431a37e 27557->27561 27559 7ff6a431a38f 27558->27559 27560 7ff6a42f2c54 109 API calls 27559->27560 27560->27561 27562 7ff6a43222a0 _handle_error 8 API calls 27561->27562 27563 7ff6a431a3ad 27562->27563 27563->26969 27563->26973 28928 7ff6a43176f8 LoadCursorW RegisterClassExW 27564->28928 27566 7ff6a4317b00 27567 7ff6a4317b13 27566->27567 28929 7ff6a432b73c 31 API calls _invalid_parameter_noinfo_noreturn 27566->28929 27569 7ff6a4317b28 27567->27569 28930 7ff6a432b73c 31 API calls _invalid_parameter_noinfo_noreturn 27567->28930 27570 7ff6a4317b34 GetWindowRect GetParent MapWindowPoints 27569->27570 27572 7ff6a4317b6e DestroyWindow 27570->27572 27573 7ff6a4317b74 GetParent CreateWindowExW 27570->27573 27572->27573 27574 7ff6a4317c36 27573->27574 27575 7ff6a4317be4 27573->27575 27576 7ff6a4317c3b ShowWindow UpdateWindow 27574->27576 27577 7ff6a4317c53 27574->27577 27575->27574 27578 7ff6a4317beb 27575->27578 27576->27577 27579 7ff6a43222a0 _handle_error 8 API calls 27577->27579 27578->27577 27581 7ff6a4317c00 27578->27581 27580 7ff6a4317c63 27579->27580 27580->26993 28931 7ff6a4317820 34 API calls 27581->28931 27583 7ff6a4317c0d ShowWindow 27584 7ff6a42f2520 SetDlgItemTextW 27583->27584 27585 7ff6a4317c29 27584->27585 27586 7ff6a42f1fa0 31 API calls 27585->27586 27587 7ff6a4317c34 27586->27587 27587->27577 27588->26943 27590 7ff6a430327c 51 API calls 27589->27590 27591 7ff6a4303271 27590->27591 27591->27018 27591->27040 27592->27018 27593->27095 27594->27123 27595->27132 27596->27141 27597->27148 27598->27156 27600 7ff6a43235a0 27599->27600 27600->27160 27601->27078 27603 7ff6a42f1177 27602->27603 27604 7ff6a42f2034 33 API calls 27603->27604 27605 7ff6a42f1185 memcpy_s 27604->27605 27605->27093 27606->27118 27607->27182 27608->27206 27609->27221 27610->27233 27612 7ff6a4303de8 swprintf 46 API calls 27611->27612 27613 7ff6a430a4c9 27612->27613 27614 7ff6a4310ee8 WideCharToMultiByte 27613->27614 27620 7ff6a430a4d9 27614->27620 27615 7ff6a430a549 27636 7ff6a43093c8 27615->27636 27618 7ff6a430a6b2 GetSystemMetrics GetWindow 27623 7ff6a430a6dd 27618->27623 27624 7ff6a430a7e1 27618->27624 27619 7ff6a430a5c3 27621 7ff6a430a5cc GetWindowLongPtrW 27619->27621 27622 7ff6a430a682 27619->27622 27620->27615 27631 7ff6a43097c0 31 API calls 27620->27631 27634 7ff6a430a52a SetDlgItemTextW 27620->27634 27626 7ff6a435e2c0 27621->27626 27651 7ff6a4309568 27622->27651 27623->27624 27632 7ff6a430a6fe GetWindowRect 27623->27632 27635 7ff6a430a7c0 GetWindow 27623->27635 27625 7ff6a43222a0 _handle_error 8 API calls 27624->27625 27628 7ff6a42f258f 27625->27628 27629 7ff6a430a66a GetWindowRect 27626->27629 27628->27244 27628->27247 27629->27622 27631->27620 27632->27623 27633 7ff6a430a6a5 SetDlgItemTextW 27633->27618 27634->27620 27635->27623 27635->27624 27637 7ff6a4309568 47 API calls 27636->27637 27639 7ff6a430940f 27637->27639 27638 7ff6a43222a0 _handle_error 8 API calls 27640 7ff6a430954e GetWindowRect GetClientRect 27638->27640 27641 7ff6a42f129c 33 API calls 27639->27641 27648 7ff6a430951a 27639->27648 27640->27618 27640->27619 27642 7ff6a430945c 27641->27642 27643 7ff6a42f129c 33 API calls 27642->27643 27650 7ff6a4309561 27642->27650 27646 7ff6a43094d4 27643->27646 27644 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27645 7ff6a4309567 27644->27645 27647 7ff6a430955c 27646->27647 27646->27648 27649 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27647->27649 27648->27638 27649->27650 27650->27644 27652 7ff6a4303de8 swprintf 46 API calls 27651->27652 27653 7ff6a43095ab 27652->27653 27654 7ff6a4310ee8 WideCharToMultiByte 27653->27654 27655 7ff6a43095c3 27654->27655 27656 7ff6a43097c0 31 API calls 27655->27656 27657 7ff6a43095db 27656->27657 27658 7ff6a43222a0 _handle_error 8 API calls 27657->27658 27659 7ff6a43095eb 27658->27659 27659->27618 27659->27633 27661 7ff6a42f13a4 33 API calls 27660->27661 27662 7ff6a42f2462 GetWindowTextW 27661->27662 27663 7ff6a42f2494 27662->27663 27664 7ff6a42f129c 33 API calls 27663->27664 27665 7ff6a42f24a2 27664->27665 27666 7ff6a42f24dd 27665->27666 27668 7ff6a42f2505 27665->27668 27667 7ff6a43222a0 _handle_error 8 API calls 27666->27667 27669 7ff6a42f24f3 27667->27669 27670 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27668->27670 27669->27256 27671 7ff6a42f250a 27670->27671 27672->27273 27674->27281 27676 7ff6a431adbc GetMessageW 27675->27676 27677 7ff6a431ae00 GetDlgItem 27675->27677 27678 7ff6a431addb IsDialogMessageW 27676->27678 27679 7ff6a431adea TranslateMessage DispatchMessageW 27676->27679 27677->27292 27677->27293 27678->27677 27678->27679 27679->27677 27681 7ff6a43168d9 ShowWindow IsDlgButtonChecked IsDlgButtonChecked 27680->27681 27682 7ff6a43168ce DestroyWindow 27680->27682 27681->27292 27682->27681 27684 7ff6a431cd86 27683->27684 27685 7ff6a431cd9f RegCreateKeyExW 27683->27685 27686 7ff6a42f20b0 33 API calls 27684->27686 27685->27311 27685->27312 27686->27685 27688 7ff6a4303673 27687->27688 27689 7ff6a430368c CreateDirectoryW 27688->27689 27691 7ff6a43036a0 27688->27691 27689->27691 27692 7ff6a430373d 27689->27692 27690 7ff6a430327c 51 API calls 27693 7ff6a43036ae 27690->27693 27691->27690 27694 7ff6a430374d 27692->27694 27707 7ff6a4303cf4 27692->27707 27695 7ff6a4303751 GetLastError 27693->27695 27697 7ff6a43069cc 49 API calls 27693->27697 27698 7ff6a43222a0 _handle_error 8 API calls 27694->27698 27695->27694 27699 7ff6a43036dc 27697->27699 27700 7ff6a4303779 27698->27700 27701 7ff6a43036e0 CreateDirectoryW 27699->27701 27702 7ff6a43036fb 27699->27702 27700->27325 27701->27702 27703 7ff6a4303734 27702->27703 27704 7ff6a430378e 27702->27704 27703->27692 27703->27695 27705 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27704->27705 27706 7ff6a4303793 27705->27706 27708 7ff6a4303d1e SetFileAttributesW 27707->27708 27709 7ff6a4303d1b 27707->27709 27710 7ff6a4303d34 27708->27710 27717 7ff6a4303db5 27708->27717 27709->27708 27711 7ff6a43069cc 49 API calls 27710->27711 27714 7ff6a4303d59 27711->27714 27712 7ff6a43222a0 _handle_error 8 API calls 27713 7ff6a4303dca 27712->27713 27713->27694 27715 7ff6a4303d5d SetFileAttributesW 27714->27715 27716 7ff6a4303d7c 27714->27716 27715->27716 27716->27717 27718 7ff6a4303dda 27716->27718 27717->27712 27719 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27718->27719 27720 7ff6a4303ddf 27719->27720 27722 7ff6a42f713b 27721->27722 27723 7ff6a42f7206 27721->27723 27729 7ff6a42f714b memcpy_s 27722->27729 27730 7ff6a42f3f48 33 API calls 2 library calls 27722->27730 27731 7ff6a42f704c 47 API calls memcpy_s 27723->27731 27726 7ff6a42f7273 27726->27341 27727 7ff6a42f720b 27727->27726 27732 7ff6a42f889c 8 API calls memcpy_s 27727->27732 27729->27341 27730->27729 27731->27727 27732->27727 27734 7ff6a431a9af 27733->27734 27735 7ff6a431a9b6 27733->27735 27734->27484 27735->27734 27736 7ff6a42f1744 33 API calls 27735->27736 27736->27735 27737->27484 27739 7ff6a431a686 27738->27739 27740 7ff6a431a3ff 27738->27740 27742 7ff6a43222a0 _handle_error 8 API calls 27739->27742 27741 7ff6a431cd78 33 API calls 27740->27741 27743 7ff6a431a41e 27741->27743 27744 7ff6a431a697 27742->27744 27745 7ff6a42f129c 33 API calls 27743->27745 27744->27445 27746 7ff6a431a45e 27745->27746 27747 7ff6a42f129c 33 API calls 27746->27747 27748 7ff6a431a497 27747->27748 27749 7ff6a42f129c 33 API calls 27748->27749 27750 7ff6a431a4ca 27749->27750 27751 7ff6a431a7b4 35 API calls 27750->27751 27755 7ff6a431a4f3 27751->27755 27752 7ff6a431a6b4 27753 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27752->27753 27754 7ff6a431a6ba 27753->27754 27756 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27754->27756 27755->27752 27755->27754 27757 7ff6a431a6c0 27755->27757 27758 7ff6a42f20b0 33 API calls 27755->27758 27761 7ff6a431a605 27755->27761 27756->27757 27759 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27757->27759 27758->27761 27760 7ff6a431a6c6 27759->27760 27763 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27760->27763 27761->27739 27761->27760 27762 7ff6a431a6af 27761->27762 27764 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27762->27764 27765 7ff6a431a6cc 27763->27765 27764->27752 27766 7ff6a42f255c 62 API calls 27765->27766 27767 7ff6a431a715 27766->27767 27768 7ff6a431a781 SetDlgItemTextW 27767->27768 27769 7ff6a431a72d 27767->27769 27772 7ff6a431a721 27767->27772 27768->27769 27770 7ff6a43222a0 _handle_error 8 API calls 27769->27770 27771 7ff6a431a7a7 27770->27771 27771->27445 27772->27769 27879 7ff6a430babc 103 API calls 27772->27879 27775 7ff6a431f7fd 27774->27775 27782 7ff6a431f4a9 memcpy_s 27774->27782 27776 7ff6a42f1fa0 31 API calls 27775->27776 27777 7ff6a431f81c 27776->27777 27778 7ff6a43222a0 _handle_error 8 API calls 27777->27778 27779 7ff6a431f828 27778->27779 27779->27450 27780 7ff6a431f604 27783 7ff6a42f129c 33 API calls 27780->27783 27782->27780 27880 7ff6a4311344 CompareStringW 27782->27880 27784 7ff6a431f640 27783->27784 27785 7ff6a4303268 51 API calls 27784->27785 27786 7ff6a431f64a 27785->27786 27787 7ff6a42f1fa0 31 API calls 27786->27787 27788 7ff6a431f655 27787->27788 27789 7ff6a431f6c2 ShellExecuteExW 27788->27789 27794 7ff6a42f129c 33 API calls 27788->27794 27790 7ff6a431f6d5 27789->27790 27793 7ff6a431f7c6 27789->27793 27791 7ff6a431f70e WaitForInputIdle 27790->27791 27792 7ff6a431f6f4 IsWindowVisible 27790->27792 27795 7ff6a431f763 CloseHandle 27790->27795 27797 7ff6a431fda4 5 API calls 27791->27797 27792->27791 27796 7ff6a431f701 ShowWindow 27792->27796 27793->27775 27798 7ff6a431f87b 27793->27798 27799 7ff6a431f697 27794->27799 27802 7ff6a431f772 27795->27802 27803 7ff6a431f781 27795->27803 27796->27791 27804 7ff6a431f726 27797->27804 27800 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27798->27800 27881 7ff6a4305b20 53 API calls 2 library calls 27799->27881 27805 7ff6a431f880 27800->27805 27882 7ff6a4311344 CompareStringW 27802->27882 27803->27793 27812 7ff6a431f7b7 ShowWindow 27803->27812 27804->27795 27809 7ff6a431f734 GetExitCodeProcess 27804->27809 27806 7ff6a431f6a5 27808 7ff6a42f1fa0 31 API calls 27806->27808 27811 7ff6a431f6af 27808->27811 27809->27795 27810 7ff6a431f747 27809->27810 27810->27795 27811->27789 27812->27793 27813->27484 27814->27484 27815->27484 27816->27484 27818 7ff6a431a7e2 27817->27818 27819 7ff6a431a7e5 RegOpenKeyExW 27817->27819 27818->27819 27820 7ff6a431a944 27819->27820 27823 7ff6a431a809 27819->27823 27821 7ff6a431a962 27820->27821 27822 7ff6a42f20b0 33 API calls 27820->27822 27821->27484 27822->27821 27824 7ff6a431a935 RegCloseKey 27823->27824 27825 7ff6a42f13a4 33 API calls 27823->27825 27824->27820 27824->27821 27826 7ff6a431a871 27825->27826 27827 7ff6a431a8f6 27826->27827 27831 7ff6a431a8c4 27826->27831 27883 7ff6a43196c4 33 API calls 2 library calls 27826->27883 27827->27824 27829 7ff6a431a930 27827->27829 27830 7ff6a431a97f 27827->27830 27829->27824 27832 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27830->27832 27833 7ff6a42f20b0 33 API calls 27831->27833 27834 7ff6a431a984 27832->27834 27833->27827 27835->27484 27836->27484 27837->27484 27838->27484 27839->27484 27841 7ff6a43072aa 27840->27841 27884 7ff6a42fb3b8 27841->27884 27845 7ff6a43031a4 27844->27845 27846 7ff6a43031a7 DeleteFileW 27844->27846 27845->27846 27847 7ff6a43031bd 27846->27847 27854 7ff6a430323c 27846->27854 27849 7ff6a43069cc 49 API calls 27847->27849 27848 7ff6a43222a0 _handle_error 8 API calls 27850 7ff6a4303251 27848->27850 27851 7ff6a43031e2 27849->27851 27850->27484 27852 7ff6a4303203 27851->27852 27853 7ff6a43031e6 DeleteFileW 27851->27853 27852->27854 27855 7ff6a4303261 27852->27855 27853->27852 27854->27848 27856 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27855->27856 27857 7ff6a4303266 27856->27857 27859->27484 27860->27484 27861->27484 27862->27484 27863->27484 27866 7ff6a430d21a 27864->27866 27865 7ff6a430d24d 27865->27470 27866->27865 27867 7ff6a42f1744 33 API calls 27866->27867 27867->27866 27868->27398 27869->27387 27871->27366 27872->27370 27873->27373 27874->27427 27875->27415 27877->27421 27879->27769 27880->27780 27881->27806 27882->27803 27883->27831 27885 7ff6a42fb402 memcpy_s 27884->27885 27886 7ff6a43222a0 _handle_error 8 API calls 27885->27886 27887 7ff6a42fb4c6 27886->27887 27887->27484 27922 7ff6a43086ac 27888->27922 27890 7ff6a42fe3d4 27932 7ff6a42fe610 31 API calls memcpy_s 27890->27932 27892 7ff6a42fe4e4 27894 7ff6a4322150 33 API calls 27892->27894 27893 7ff6a42fe464 27893->27892 27895 7ff6a42fe559 27893->27895 27896 7ff6a42fe500 27894->27896 27897 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27895->27897 27933 7ff6a43130c8 103 API calls 27896->27933 27904 7ff6a42fe55e 27897->27904 27899 7ff6a42fe52d 27900 7ff6a43222a0 _handle_error 8 API calls 27899->27900 27902 7ff6a42fe53d 27900->27902 27901 7ff6a430187a 27903 7ff6a43018c5 27901->27903 27905 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27901->27905 27902->27515 27903->27515 27904->27901 27904->27903 27906 7ff6a42f1fa0 31 API calls 27904->27906 27907 7ff6a43018f3 27905->27907 27906->27904 27909 7ff6a42fe7fa 27908->27909 27910 7ff6a42fe874 27909->27910 27911 7ff6a42fe8b1 27909->27911 27946 7ff6a4303e88 27909->27946 27910->27911 27913 7ff6a42fe9a3 27910->27913 27920 7ff6a42fe910 27911->27920 27953 7ff6a42ff588 27911->27953 27914 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27913->27914 27917 7ff6a42fe9a8 27914->27917 27915 7ff6a42fe965 27916 7ff6a43222a0 _handle_error 8 API calls 27915->27916 27919 7ff6a42fe98e 27916->27919 27919->27517 27920->27915 27989 7ff6a42f28a4 83 API calls 2 library calls 27920->27989 27923 7ff6a43086ca 27922->27923 27924 7ff6a4322150 33 API calls 27923->27924 27925 7ff6a43086ef 27924->27925 27926 7ff6a4308703 27925->27926 27927 7ff6a42f9f1c 33 API calls 27925->27927 27928 7ff6a4322150 33 API calls 27926->27928 27927->27926 27929 7ff6a4308719 27928->27929 27930 7ff6a430872b 27929->27930 27934 7ff6a42f9f1c 27929->27934 27930->27890 27932->27893 27933->27899 27939 7ff6a4322420 27934->27939 27937 7ff6a4322420 33 API calls 27938 7ff6a42f9f75 memcpy_s 27937->27938 27938->27930 27941 7ff6a4322451 27939->27941 27940 7ff6a42f9f4a 27940->27937 27941->27940 27943 7ff6a42fa010 27941->27943 27944 7ff6a430b744 33 API calls 27943->27944 27945 7ff6a42fa027 27944->27945 27945->27941 27947 7ff6a430728c 8 API calls 27946->27947 27948 7ff6a4303ea1 27947->27948 27949 7ff6a4303ecf 27948->27949 27990 7ff6a430407c 27948->27990 27949->27909 27952 7ff6a4303eba FindClose 27952->27949 27954 7ff6a42ff5a8 _snwprintf 27953->27954 28016 7ff6a42f2950 27954->28016 27957 7ff6a42ff5dc 27961 7ff6a42ff60c 27957->27961 28033 7ff6a42f33e4 27957->28033 27960 7ff6a42ff608 27960->27961 28065 7ff6a42f3ad8 27960->28065 28281 7ff6a42f2c54 27961->28281 27969 7ff6a42f8d04 33 API calls 27970 7ff6a42ff672 27969->27970 28301 7ff6a43078d8 48 API calls 2 library calls 27970->28301 27972 7ff6a42ff687 27973 7ff6a4303e88 55 API calls 27972->27973 27974 7ff6a42ff6bd 27973->27974 27980 7ff6a42ff75d 27974->27980 27982 7ff6a42ff8aa 27974->27982 27986 7ff6a4303e88 55 API calls 27974->27986 28302 7ff6a43078d8 48 API calls 2 library calls 27974->28302 27981 7ff6a42ff7db 27980->27981 27980->27982 27985 7ff6a42ff8a5 27980->27985 28075 7ff6a42ff8b4 27981->28075 27984 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27982->27984 27983 7ff6a42ff852 27983->27961 28096 7ff6a42f69f8 27983->28096 28107 7ff6a42ff940 27983->28107 27987 7ff6a42ff8b0 27984->27987 27988 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 27985->27988 27986->27974 27988->27982 27989->27915 27991 7ff6a4304192 FindNextFileW 27990->27991 27992 7ff6a43040b9 FindFirstFileW 27990->27992 27994 7ff6a43041b3 27991->27994 27995 7ff6a43041a1 GetLastError 27991->27995 27992->27994 27996 7ff6a43040de 27992->27996 27998 7ff6a43041d1 27994->27998 28000 7ff6a42f20b0 33 API calls 27994->28000 28015 7ff6a4304180 27995->28015 27997 7ff6a43069cc 49 API calls 27996->27997 27999 7ff6a4304104 27997->27999 28005 7ff6a42f129c 33 API calls 27998->28005 28002 7ff6a4304108 FindFirstFileW 27999->28002 28003 7ff6a4304127 27999->28003 28000->27998 28001 7ff6a43222a0 _handle_error 8 API calls 28004 7ff6a4303eb4 28001->28004 28002->28003 28003->27994 28008 7ff6a430416f GetLastError 28003->28008 28010 7ff6a43042d4 28003->28010 28004->27949 28004->27952 28006 7ff6a43041fb 28005->28006 28007 7ff6a4308050 47 API calls 28006->28007 28009 7ff6a4304209 28007->28009 28008->28015 28013 7ff6a43042cf 28009->28013 28009->28015 28011 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28010->28011 28012 7ff6a43042da 28011->28012 28014 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28013->28014 28014->28010 28015->28001 28017 7ff6a42f296c 28016->28017 28018 7ff6a42f9f1c 33 API calls 28017->28018 28019 7ff6a42f2980 28018->28019 28020 7ff6a43086ac 33 API calls 28019->28020 28021 7ff6a42f298d 28020->28021 28022 7ff6a4322150 33 API calls 28021->28022 28025 7ff6a42f2ac2 28021->28025 28023 7ff6a42f2ab0 28022->28023 28023->28025 28027 7ff6a42f91c8 35 API calls 28023->28027 28303 7ff6a4304cc4 28025->28303 28027->28025 28028 7ff6a4302c68 28032 7ff6a4302480 54 API calls 28028->28032 28029 7ff6a4302c81 28030 7ff6a4302c85 28029->28030 28317 7ff6a42fb7f8 100 API calls 2 library calls 28029->28317 28030->27957 28032->28029 28064 7ff6a4302890 105 API calls 28033->28064 28034 7ff6a42f3431 memcpy_s 28042 7ff6a42f3601 28034->28042 28044 7ff6a42f344e 28034->28044 28061 7ff6a4302b70 102 API calls 28034->28061 28035 7ff6a42f3674 28318 7ff6a42f28a4 83 API calls 2 library calls 28035->28318 28037 7ff6a42f69f8 133 API calls 28038 7ff6a42f3682 28037->28038 28038->28037 28040 7ff6a42f370c 28038->28040 28038->28042 28057 7ff6a4302a60 102 API calls 28038->28057 28039 7ff6a42f34cc 28056 7ff6a4302890 105 API calls 28039->28056 28040->28042 28046 7ff6a42f3740 28040->28046 28319 7ff6a42f28a4 83 API calls 2 library calls 28040->28319 28042->27960 28043 7ff6a42f35cb 28043->28044 28045 7ff6a42f35d7 28043->28045 28044->28035 28044->28038 28045->28042 28047 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28045->28047 28046->28042 28049 7ff6a42f384d 28046->28049 28058 7ff6a4302b70 102 API calls 28046->28058 28051 7ff6a42f3891 28047->28051 28048 7ff6a42f34eb 28048->28043 28062 7ff6a4302a60 102 API calls 28048->28062 28049->28042 28050 7ff6a42f20b0 33 API calls 28049->28050 28050->28042 28051->27960 28052 7ff6a42f35a7 28052->28043 28059 7ff6a4302890 105 API calls 28052->28059 28053 7ff6a42f69f8 133 API calls 28054 7ff6a42f378e 28053->28054 28054->28053 28055 7ff6a42f3803 28054->28055 28060 7ff6a4302a60 102 API calls 28054->28060 28063 7ff6a4302a60 102 API calls 28055->28063 28056->28048 28057->28038 28058->28054 28059->28043 28060->28054 28061->28039 28062->28052 28063->28049 28064->28034 28066 7ff6a42f3af9 28065->28066 28071 7ff6a42f3b55 28065->28071 28320 7ff6a42f3378 28066->28320 28068 7ff6a43222a0 _handle_error 8 API calls 28070 7ff6a42f3b67 28068->28070 28070->27969 28070->27981 28071->28068 28072 7ff6a42f3b6c 28073 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28072->28073 28074 7ff6a42f3b71 28073->28074 28562 7ff6a430882c 28075->28562 28077 7ff6a42ff8ca 28566 7ff6a430eee0 GetSystemTime SystemTimeToFileTime 28077->28566 28080 7ff6a4310914 28081 7ff6a43202c0 28080->28081 28097 7ff6a42f6a0e 28096->28097 28101 7ff6a42f6a0a 28096->28101 28101->27983 28282 7ff6a42f2c74 28281->28282 28283 7ff6a42f2c88 28281->28283 28282->28283 28911 7ff6a42f2d80 109 API calls _invalid_parameter_noinfo_noreturn 28282->28911 28284 7ff6a42f1fa0 31 API calls 28283->28284 28287 7ff6a42f2ca1 28284->28287 28300 7ff6a42f2d64 28287->28300 28895 7ff6a42f3090 31 API calls _invalid_parameter_noinfo_noreturn 28287->28895 28288 7ff6a42f2d08 28896 7ff6a42f3090 31 API calls _invalid_parameter_noinfo_noreturn 28288->28896 28290 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28292 7ff6a42f2d7c 28290->28292 28291 7ff6a42f2d14 28293 7ff6a42f1fa0 31 API calls 28291->28293 28294 7ff6a42f2d20 28293->28294 28897 7ff6a430874c 28294->28897 28300->28290 28301->27972 28302->27974 28304 7ff6a4304cf2 memcpy_s 28303->28304 28313 7ff6a4304b6c 28304->28313 28306 7ff6a4304d14 28308 7ff6a4304d6e 28306->28308 28309 7ff6a4304d50 28306->28309 28307 7ff6a43222a0 _handle_error 8 API calls 28310 7ff6a42f2b32 28307->28310 28311 7ff6a4327884 _invalid_parameter_noinfo_noreturn 31 API calls 28308->28311 28309->28307 28310->27957 28310->28028 28312 7ff6a4304d73 28311->28312 28314 7ff6a4304be7 28313->28314 28316 7ff6a4304bef memcpy_s 28313->28316 28315 7ff6a42f1fa0 31 API calls 28314->28315 28315->28316 28316->28306 28317->28030 28318->28042 28319->28046 28321 7ff6a42f339a 28320->28321 28322 7ff6a42f3396 28320->28322 28326 7ff6a42f3294 28321->28326 28322->28071 28322->28072 28325 7ff6a4302a60 102 API calls 28325->28322 28327 7ff6a42f32bb 28326->28327 28329 7ff6a42f32f6 28326->28329 28328 7ff6a42f69f8 133 API calls 28327->28328 28332 7ff6a42f32db 28328->28332 28334 7ff6a42f6e74 28329->28334 28332->28325 28335 7ff6a42f6e95 28334->28335 28336 7ff6a42f69f8 133 API calls 28335->28336 28338 7ff6a42f331d 28335->28338 28366 7ff6a430e784 28335->28366 28336->28335 28338->28332 28339 7ff6a42f3904 28338->28339 28374 7ff6a42f6a7c 28339->28374 28367 7ff6a430e78d 28366->28367 28368 7ff6a430e7a7 28367->28368 28372 7ff6a42fb674 RtlPcToFileHeader RaiseException _com_raise_error 28367->28372 28370 7ff6a430e7c1 SetThreadExecutionState 28368->28370 28373 7ff6a42fb674 RtlPcToFileHeader RaiseException _com_raise_error 28368->28373 28372->28368 28373->28370 28375 7ff6a42f6a96 _snwprintf 28374->28375 28376 7ff6a42f6ae4 28375->28376 28377 7ff6a42f6ac4 28375->28377 28378 7ff6a42f6d4d 28376->28378 28380 7ff6a42f6b0f 28376->28380 28460 7ff6a42f28a4 83 API calls 2 library calls 28377->28460 28563 7ff6a4308842 28562->28563 28564 7ff6a4308852 28562->28564 28569 7ff6a43023b0 28563->28569 28564->28077 28567 7ff6a43222a0 _handle_error 8 API calls 28566->28567 28568 7ff6a42ff7ec 28567->28568 28568->27983 28568->28080 28570 7ff6a43023cf 28569->28570 28573 7ff6a4302a60 102 API calls 28570->28573 28571 7ff6a43023e8 28574 7ff6a4302b70 102 API calls 28571->28574 28572 7ff6a43023f8 28572->28564 28573->28571 28574->28572 28895->28288 28896->28291 28898 7ff6a430876f 28897->28898 28899 7ff6a430879f 28897->28899 28900 7ff6a43222ec 109 API calls 28898->28900 28901 7ff6a43222ec 109 API calls 28899->28901 28909 7ff6a43087eb 28899->28909 28903 7ff6a430878a 28900->28903 28904 7ff6a43087d4 28901->28904 28906 7ff6a43222ec 109 API calls 28903->28906 28907 7ff6a43222ec 109 API calls 28904->28907 28905 7ff6a4308805 28908 7ff6a43045dc 109 API calls 28905->28908 28906->28899 28907->28909 28910 7ff6a4308811 28908->28910 28912 7ff6a43045dc 28909->28912 28911->28283 28913 7ff6a43045f2 28912->28913 28915 7ff6a43045fa 28912->28915 28914 7ff6a430e8c4 109 API calls 28913->28914 28914->28915 28915->28905 28916->27526 28917->27535 28918->27538 28919->27545 28921 7ff6a4302c68 107 API calls 28920->28921 28922 7ff6a42f3b82 28921->28922 28923 7ff6a42f3b86 28922->28923 28924 7ff6a42f33e4 135 API calls 28922->28924 28923->27555 28923->27556 28925 7ff6a42f3b94 28924->28925 28925->28923 28927 7ff6a42f28a4 83 API calls 2 library calls 28925->28927 28927->28923 28928->27566 28929->27567 28930->27570 28931->27583

                                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                                      Function 00007FF6A431B110 Relevance: 118.7, APIs: 57, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Item$_invalid_parameter_noinfo_noreturn$Message$Text$ButtonChecked$FileSend$ErrorLast$CloseDialogFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchExecuteFirstForegroundHandleIdleInputLineMappingParamParentShellSleepTickTranslateUnmapWaitWindow
                                                                                                                                                                                                                                                      • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                                                      • API String ID: 2317556752-2702805183
                                                                                                                                                                                                                                                      • Opcode ID: 9c4b530ab7b8c9e33aa02179776c6630b93a3d6be7cdb87929764d65eafbfe0b
                                                                                                                                                                                                                                                      • Instruction ID: d88e5ff22aef3e90fb04c38719079f810a394961567e169209e72f5be2c7570d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c4b530ab7b8c9e33aa02179776c6630b93a3d6be7cdb87929764d65eafbfe0b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35D2B362A0BE8285EE209B2AECD52F96361FF85790F804132D94D876FADF3DE544C711
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431CE08 Relevance: 63.2, APIs: 25, Strings: 10, Instructions: 1963fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$ItemPathTemp
                                                                                                                                                                                                                                                      • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                                                                                                                                                      • API String ID: 1440029262-3916287355
                                                                                                                                                                                                                                                      • Opcode ID: c04f74f1bc455da6ad029ef4608e9ad1a78ff85a50731a67a3b59bd2ccfab927
                                                                                                                                                                                                                                                      • Instruction ID: d1a592b0b7670363631165ebd50dddfafa78b5ba41ca4be74be6146e0524db89
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c04f74f1bc455da6ad029ef4608e9ad1a78ff85a50731a67a3b59bd2ccfab927
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA13AC62A06B8289EF10DF6ADCC02EC27A1EF41398F900535DA1D97AF9DF39E595C350
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43206D4 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1473 7ff6a43206d4-7ff6a43207a9 call 7ff6a430df4c call 7ff6a430629c call 7ff6a43193ec call 7ff6a4323c70 call 7ff6a4319994 1484 7ff6a43207ab-7ff6a43207c0 1473->1484 1485 7ff6a43207e0-7ff6a4320803 1473->1485 1488 7ff6a43207db call 7ff6a432218c 1484->1488 1489 7ff6a43207c2-7ff6a43207d5 1484->1489 1486 7ff6a432083a-7ff6a432085d 1485->1486 1487 7ff6a4320805-7ff6a432081a 1485->1487 1492 7ff6a432085f-7ff6a4320874 1486->1492 1493 7ff6a4320894-7ff6a43208b7 1486->1493 1490 7ff6a432081c-7ff6a432082f 1487->1490 1491 7ff6a4320835 call 7ff6a432218c 1487->1491 1488->1485 1489->1488 1494 7ff6a4320d5d-7ff6a4320d62 call 7ff6a4327884 1489->1494 1490->1491 1490->1494 1491->1486 1498 7ff6a4320876-7ff6a4320889 1492->1498 1499 7ff6a432088f call 7ff6a432218c 1492->1499 1500 7ff6a43208b9-7ff6a43208ce 1493->1500 1501 7ff6a43208ee-7ff6a43208fa GetCommandLineW 1493->1501 1509 7ff6a4320d63-7ff6a4320d70 call 7ff6a4327884 1494->1509 1498->1494 1498->1499 1499->1493 1504 7ff6a43208e9 call 7ff6a432218c 1500->1504 1505 7ff6a43208d0-7ff6a43208e3 1500->1505 1506 7ff6a4320ac7-7ff6a4320ade call 7ff6a4306414 1501->1506 1507 7ff6a4320900-7ff6a4320937 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a431ca50 1501->1507 1504->1501 1505->1494 1505->1504 1517 7ff6a4320b09-7ff6a4320c4e call 7ff6a42f1fa0 SetEnvironmentVariableW GetLocalTime call 7ff6a4303de8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6a431af94 call 7ff6a430986c call 7ff6a4316734 * 2 DialogBoxParamW call 7ff6a4316828 1506->1517 1518 7ff6a4320ae0-7ff6a4320b05 call 7ff6a42f1fa0 call 7ff6a43235c0 1506->1518 1532 7ff6a4320939-7ff6a432094c 1507->1532 1533 7ff6a432096c-7ff6a4320973 1507->1533 1520 7ff6a4320d75-7ff6a4320daf call 7ff6a4321880 1509->1520 1572 7ff6a4320c53-7ff6a4320c64 call 7ff6a4316828 1517->1572 1518->1517 1530 7ff6a4320db4-7ff6a4320e01 1520->1530 1530->1520 1537 7ff6a4320967 call 7ff6a432218c 1532->1537 1538 7ff6a432094e-7ff6a4320961 1532->1538 1539 7ff6a4320979-7ff6a4320993 OpenFileMappingW 1533->1539 1540 7ff6a4320a5b-7ff6a4320a92 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a431fc8c 1533->1540 1537->1533 1538->1509 1538->1537 1545 7ff6a4320999-7ff6a43209b9 MapViewOfFile 1539->1545 1546 7ff6a4320a50-7ff6a4320a59 CloseHandle 1539->1546 1540->1506 1562 7ff6a4320a94-7ff6a4320aa7 1540->1562 1545->1546 1549 7ff6a43209bf-7ff6a43209ef UnmapViewOfFile MapViewOfFile 1545->1549 1546->1506 1549->1546 1552 7ff6a43209f1-7ff6a4320a4a call 7ff6a431a110 call 7ff6a431fc8c call 7ff6a430b970 call 7ff6a430babc call 7ff6a430bb2c UnmapViewOfFile 1549->1552 1552->1546 1565 7ff6a4320aa9-7ff6a4320abc 1562->1565 1566 7ff6a4320ac2 call 7ff6a432218c 1562->1566 1565->1566 1569 7ff6a4320d57-7ff6a4320d5c call 7ff6a4327884 1565->1569 1566->1506 1569->1494 1580 7ff6a4320c66 Sleep 1572->1580 1581 7ff6a4320c6c-7ff6a4320c73 1572->1581 1580->1581 1582 7ff6a4320c7a-7ff6a4320c9d call 7ff6a430b89c call 7ff6a435e0f0 1581->1582 1583 7ff6a4320c75 call 7ff6a4319ecc 1581->1583 1590 7ff6a4320c9f call 7ff6a435e0f0 1582->1590 1591 7ff6a4320ca5-7ff6a4320cac 1582->1591 1583->1582 1590->1591 1593 7ff6a4320cc8-7ff6a4320cd9 1591->1593 1594 7ff6a4320cae-7ff6a4320cb5 1591->1594 1596 7ff6a4320cdb-7ff6a4320ce7 call 7ff6a431fda4 CloseHandle 1593->1596 1597 7ff6a4320ced-7ff6a4320cfa 1593->1597 1594->1593 1595 7ff6a4320cb7-7ff6a4320cc3 call 7ff6a42fba1c 1594->1595 1595->1593 1596->1597 1598 7ff6a4320cfc-7ff6a4320d09 1597->1598 1599 7ff6a4320d1f-7ff6a4320d56 call 7ff6a4319464 call 7ff6a43222a0 1597->1599 1603 7ff6a4320d19-7ff6a4320d1b 1598->1603 1604 7ff6a4320d0b-7ff6a4320d13 1598->1604 1603->1599 1607 7ff6a4320d1d 1603->1607 1604->1599 1606 7ff6a4320d15-7ff6a4320d17 1604->1606 1606->1599 1607->1599
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDirectoryModuleProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                                                                                                                                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                                                                                                      • API String ID: 3400486126-3710569615
                                                                                                                                                                                                                                                      • Opcode ID: b9bb0df58c05a53dd58fb618bc112ab22178addf13de5f4249adbae9c6152e2d
                                                                                                                                                                                                                                                      • Instruction ID: 1ccec2838b714701ac86c9333f2cbe7e8c1ae4bf62c3c15e00e6bf29512fe99f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9bb0df58c05a53dd58fb618bc112ab22178addf13de5f4249adbae9c6152e2d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13128F61A1BF8285EB10DB2AECC12B973A1FF95794F404231DA9D86AB5EF7CE144C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430A46C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
                                                                                                                                                                                                                                                      • String ID: $%s:$CAPTION
                                                                                                                                                                                                                                                      • API String ID: 1936833115-404845831
                                                                                                                                                                                                                                                      • Opcode ID: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                                                                                                                                                                                                                                      • Instruction ID: 444babc00962e0ed1ee7657de69edb477f749ab5f80191bdb2dbe987ea2061bf
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D491E632B19A518AE714DF2ABC8166A67A1FBD4784F405535EE4D87B68CF7CE805CB00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43185A4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                                                                                                                                                                                      • String ID: PNG
                                                                                                                                                                                                                                                      • API String ID: 541704414-364855578
                                                                                                                                                                                                                                                      • Opcode ID: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                                                                                                                                                                                                                                      • Instruction ID: 148ab8e09ef6dada89300aad15d8d946dd2b293dbdb2bdab829559935c08e3a9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A341EC25A1AF4681EE189B5BEC94379A3A1AF88B94F044435DE0DC77B4EFBCE4498710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FF940 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1396COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: __tmp_reference_source_
                                                                                                                                                                                                                                                      • API String ID: 3668304517-685763994
                                                                                                                                                                                                                                                      • Opcode ID: 4ffcfc19f1b0796573a5eda9f8f77978dce55072757d366e173134c2872727c3
                                                                                                                                                                                                                                                      • Instruction ID: 1b3a0a161597c3a14829d4ed87a135ba900d873d556c961f14ced895411109e0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ffcfc19f1b0796573a5eda9f8f77978dce55072757d366e173134c2872727c3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0BD29962A0AAC292EA64CB66E9C03FE6761FF81744F444232DB9D936B5DF3DE454C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: CMT
                                                                                                                                                                                                                                                      • API String ID: 3668304517-2756464174
                                                                                                                                                                                                                                                      • Opcode ID: 63aa1de26aa6342674bb087408490be90b9907727457d9ddf72153425aed0d55
                                                                                                                                                                                                                                                      • Instruction ID: e1c9164abf5a0fe366bdb28ca5244e89634761d73390a57acd7c5648010385f1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 63aa1de26aa6342674bb087408490be90b9907727457d9ddf72153425aed0d55
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00E20722B0B68246EB18DB35DA902FD67A1FF95384F904135DB5E836AADF7DE065C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430407C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 3912 7ff6a430407c-7ff6a43040b3 3913 7ff6a4304192-7ff6a430419f FindNextFileW 3912->3913 3914 7ff6a43040b9-7ff6a43040c1 3912->3914 3917 7ff6a43041b3-7ff6a43041b6 3913->3917 3918 7ff6a43041a1-7ff6a43041b1 GetLastError 3913->3918 3915 7ff6a43040c3 3914->3915 3916 7ff6a43040c6-7ff6a43040d8 FindFirstFileW 3914->3916 3915->3916 3916->3917 3919 7ff6a43040de-7ff6a4304106 call 7ff6a43069cc 3916->3919 3921 7ff6a43041d1-7ff6a4304213 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a4308050 3917->3921 3922 7ff6a43041b8-7ff6a43041c0 3917->3922 3920 7ff6a430418a-7ff6a430418d 3918->3920 3932 7ff6a4304108-7ff6a4304124 FindFirstFileW 3919->3932 3933 7ff6a4304127-7ff6a4304130 3919->3933 3923 7ff6a43042ab-7ff6a43042ce call 7ff6a43222a0 3920->3923 3948 7ff6a4304215-7ff6a430422c 3921->3948 3949 7ff6a430424c-7ff6a43042a6 call 7ff6a430f0e8 * 3 3921->3949 3925 7ff6a43041c5-7ff6a43041cc call 7ff6a42f20b0 3922->3925 3926 7ff6a43041c2 3922->3926 3925->3921 3926->3925 3932->3933 3937 7ff6a4304132-7ff6a4304149 3933->3937 3938 7ff6a4304169-7ff6a430416d 3933->3938 3941 7ff6a4304164 call 7ff6a432218c 3937->3941 3942 7ff6a430414b-7ff6a430415e 3937->3942 3938->3917 3940 7ff6a430416f-7ff6a430417e GetLastError 3938->3940 3944 7ff6a4304180-7ff6a4304186 3940->3944 3945 7ff6a4304188 3940->3945 3941->3938 3942->3941 3946 7ff6a43042d5-7ff6a43042db call 7ff6a4327884 3942->3946 3944->3920 3944->3945 3945->3920 3951 7ff6a430422e-7ff6a4304241 3948->3951 3952 7ff6a4304247 call 7ff6a432218c 3948->3952 3949->3923 3951->3952 3955 7ff6a43042cf-7ff6a43042d4 call 7ff6a4327884 3951->3955 3952->3949 3955->3946
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 474548282-0
                                                                                                                                                                                                                                                      • Opcode ID: 083738887a80dfdd435d0b3a7adacdcf0c3f6e619cdef7a444a6c352ce5ad5db
                                                                                                                                                                                                                                                      • Instruction ID: 9ac17c58d7bd4c0ccf9ec892311568c0559a0531d3ff9d4fb25e67d24996e31c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 083738887a80dfdd435d0b3a7adacdcf0c3f6e619cdef7a444a6c352ce5ad5db
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF61A662A0AE4292EA149F26ECC027D6361FBD57A4F505331EABD836E9DF7CD544C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F5E2C Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 4019 7ff6a42f5e2c-7ff6a42f6129 call 7ff6a43082fc call 7ff6a43085b0 4025 7ff6a42f612e-7ff6a42f6132 4019->4025 4026 7ff6a42f6134-7ff6a42f613c call 7ff6a42f6fcc 4025->4026 4027 7ff6a42f6141-7ff6a42f6171 call 7ff6a4308398 call 7ff6a4308530 call 7ff6a43084e8 4025->4027 4032 7ff6a42f697b 4026->4032 4044 7ff6a42f6973-7ff6a42f6976 call 7ff6a42f466c 4027->4044 4045 7ff6a42f6177-7ff6a42f6179 4027->4045 4034 7ff6a42f697e-7ff6a42f6985 4032->4034 4037 7ff6a42f69b4-7ff6a42f69e3 call 7ff6a43222a0 4034->4037 4038 7ff6a42f6987-7ff6a42f6998 4034->4038 4041 7ff6a42f69af call 7ff6a432218c 4038->4041 4042 7ff6a42f699a-7ff6a42f69ad 4038->4042 4041->4037 4042->4041 4047 7ff6a42f69e4-7ff6a42f69e9 call 7ff6a4327884 4042->4047 4044->4032 4045->4044 4048 7ff6a42f617f-7ff6a42f6189 4045->4048 4054 7ff6a42f69ea-7ff6a42f69ef call 7ff6a4327884 4047->4054 4048->4044 4051 7ff6a42f618f-7ff6a42f6192 4048->4051 4051->4044 4053 7ff6a42f6198-7ff6a42f61aa call 7ff6a43085b0 4051->4053 4053->4026 4059 7ff6a42f61ac-7ff6a42f61fd call 7ff6a43084b8 call 7ff6a43084e8 * 2 4053->4059 4060 7ff6a42f69f0-7ff6a42f69f7 call 7ff6a4327884 4054->4060 4069 7ff6a42f623f-7ff6a42f6249 4059->4069 4070 7ff6a42f61ff-7ff6a42f6222 call 7ff6a42f466c call 7ff6a42fba1c 4059->4070 4072 7ff6a42f624b-7ff6a42f6260 call 7ff6a43084e8 4069->4072 4073 7ff6a42f6266-7ff6a42f6270 4069->4073 4070->4069 4087 7ff6a42f6224-7ff6a42f622e call 7ff6a42f433c 4070->4087 4072->4044 4072->4073 4076 7ff6a42f6272-7ff6a42f627b call 7ff6a43084e8 4073->4076 4077 7ff6a42f627e-7ff6a42f6296 call 7ff6a42f334c 4073->4077 4076->4077 4085 7ff6a42f62b3 4077->4085 4086 7ff6a42f6298-7ff6a42f629b 4077->4086 4089 7ff6a42f62b6-7ff6a42f62c8 4085->4089 4086->4085 4088 7ff6a42f629d-7ff6a42f62b1 4086->4088 4087->4069 4088->4085 4088->4089 4091 7ff6a42f62ce-7ff6a42f62d1 4089->4091 4092 7ff6a42f68b7-7ff6a42f6929 call 7ff6a4304cc4 call 7ff6a43084e8 4089->4092 4093 7ff6a42f6481-7ff6a42f64f4 call 7ff6a4304c34 call 7ff6a43084e8 * 2 4091->4093 4094 7ff6a42f62d7-7ff6a42f62da 4091->4094 4111 7ff6a42f692b-7ff6a42f6934 call 7ff6a43084e8 4092->4111 4112 7ff6a42f6936 4092->4112 4127 7ff6a42f64f6-7ff6a42f6500 4093->4127 4128 7ff6a42f6507-7ff6a42f6533 call 7ff6a43084e8 4093->4128 4094->4093 4096 7ff6a42f62e0-7ff6a42f62e3 4094->4096 4099 7ff6a42f62e5-7ff6a42f62e8 4096->4099 4100 7ff6a42f632e-7ff6a42f6353 call 7ff6a43084e8 4096->4100 4103 7ff6a42f62ee-7ff6a42f6329 call 7ff6a43084e8 4099->4103 4104 7ff6a42f696d-7ff6a42f6971 4099->4104 4116 7ff6a42f6355-7ff6a42f638f call 7ff6a42f4228 call 7ff6a42f3c84 call 7ff6a42f701c call 7ff6a42f1fa0 4100->4116 4117 7ff6a42f639e-7ff6a42f63c5 call 7ff6a43084e8 call 7ff6a4308344 4100->4117 4103->4104 4104->4034 4113 7ff6a42f6939-7ff6a42f6946 4111->4113 4112->4113 4121 7ff6a42f694c 4113->4121 4122 7ff6a42f6948-7ff6a42f694a 4113->4122 4163 7ff6a42f6390-7ff6a42f6399 call 7ff6a42f1fa0 4116->4163 4138 7ff6a42f6402-7ff6a42f641f call 7ff6a4308404 4117->4138 4139 7ff6a42f63c7-7ff6a42f6400 call 7ff6a42f4228 call 7ff6a42f3c84 call 7ff6a42f701c call 7ff6a42f1fa0 4117->4139 4126 7ff6a42f694f-7ff6a42f6959 4121->4126 4122->4121 4122->4126 4126->4104 4132 7ff6a42f695b-7ff6a42f6968 call 7ff6a42f4840 4126->4132 4127->4128 4140 7ff6a42f6535-7ff6a42f6544 call 7ff6a4308398 call 7ff6a430f0b4 4128->4140 4141 7ff6a42f6549-7ff6a42f6557 4128->4141 4132->4104 4160 7ff6a42f6475-7ff6a42f647c 4138->4160 4161 7ff6a42f6421-7ff6a42f646f call 7ff6a4308404 * 2 call 7ff6a430c7bc call 7ff6a43249f0 4138->4161 4139->4163 4140->4141 4146 7ff6a42f6572-7ff6a42f6595 call 7ff6a43084e8 4141->4146 4147 7ff6a42f6559-7ff6a42f656c call 7ff6a4308398 4141->4147 4164 7ff6a42f65a0-7ff6a42f65b0 4146->4164 4165 7ff6a42f6597-7ff6a42f659e 4146->4165 4147->4146 4160->4104 4161->4160 4163->4117 4169 7ff6a42f65b3-7ff6a42f65eb call 7ff6a43084e8 * 2 4164->4169 4165->4169 4183 7ff6a42f65ed-7ff6a42f65f4 4169->4183 4184 7ff6a42f65f6-7ff6a42f65fa 4169->4184 4186 7ff6a42f6603-7ff6a42f6632 4183->4186 4184->4186 4188 7ff6a42f65fc 4184->4188 4189 7ff6a42f6634-7ff6a42f6638 4186->4189 4190 7ff6a42f663f 4186->4190 4188->4186 4189->4190 4191 7ff6a42f663a-7ff6a42f663d 4189->4191 4192 7ff6a42f6641-7ff6a42f6656 4190->4192 4191->4192 4193 7ff6a42f66ca 4192->4193 4194 7ff6a42f6658-7ff6a42f665b 4192->4194 4195 7ff6a42f66d2-7ff6a42f6731 call 7ff6a42f3d00 call 7ff6a4308404 call 7ff6a4310cd4 4193->4195 4194->4193 4196 7ff6a42f665d-7ff6a42f6683 4194->4196 4207 7ff6a42f6745-7ff6a42f6749 4195->4207 4208 7ff6a42f6733-7ff6a42f6740 call 7ff6a42f4840 4195->4208 4196->4195 4198 7ff6a42f6685-7ff6a42f66a9 4196->4198 4200 7ff6a42f66b2-7ff6a42f66bf 4198->4200 4201 7ff6a42f66ab 4198->4201 4200->4195 4202 7ff6a42f66c1-7ff6a42f66c8 4200->4202 4201->4200 4202->4195 4210 7ff6a42f675b-7ff6a42f6772 call 7ff6a43278fc 4207->4210 4211 7ff6a42f674b-7ff6a42f6756 call 7ff6a42f473c 4207->4211 4208->4207 4217 7ff6a42f6774 4210->4217 4218 7ff6a42f6777-7ff6a42f677e 4210->4218 4216 7ff6a42f6859-7ff6a42f6860 4211->4216 4219 7ff6a42f6862-7ff6a42f6872 call 7ff6a42f433c 4216->4219 4220 7ff6a42f6873-7ff6a42f687b 4216->4220 4217->4218 4221 7ff6a42f67a3-7ff6a42f67ba call 7ff6a43278fc 4218->4221 4222 7ff6a42f6780-7ff6a42f6783 4218->4222 4219->4220 4220->4104 4224 7ff6a42f6881-7ff6a42f6892 4220->4224 4235 7ff6a42f67bf-7ff6a42f67c6 4221->4235 4236 7ff6a42f67bc 4221->4236 4225 7ff6a42f6785 4222->4225 4226 7ff6a42f679c 4222->4226 4229 7ff6a42f6894-7ff6a42f68a7 4224->4229 4230 7ff6a42f68ad-7ff6a42f68b2 call 7ff6a432218c 4224->4230 4231 7ff6a42f6788-7ff6a42f6791 4225->4231 4226->4221 4229->4060 4229->4230 4230->4104 4231->4221 4234 7ff6a42f6793-7ff6a42f679a 4231->4234 4234->4226 4234->4231 4235->4216 4238 7ff6a42f67cc-7ff6a42f67cf 4235->4238 4236->4235 4239 7ff6a42f67d1 4238->4239 4240 7ff6a42f67e8-7ff6a42f67f0 4238->4240 4241 7ff6a42f67d4-7ff6a42f67dd 4239->4241 4240->4216 4242 7ff6a42f67f2-7ff6a42f6826 call 7ff6a4308320 call 7ff6a4308558 call 7ff6a43084e8 4240->4242 4241->4216 4243 7ff6a42f67df-7ff6a42f67e6 4241->4243 4242->4216 4250 7ff6a42f6828-7ff6a42f6839 4242->4250 4243->4240 4243->4241 4251 7ff6a42f6854 call 7ff6a432218c 4250->4251 4252 7ff6a42f683b-7ff6a42f684e 4250->4252 4251->4216 4252->4054 4252->4251
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: CMT
                                                                                                                                                                                                                                                      • API String ID: 0-2756464174
                                                                                                                                                                                                                                                      • Opcode ID: a233297c88ebed2e631ec438d1cd10e1b0e3e5055da52990d200b0771bd9e9d4
                                                                                                                                                                                                                                                      • Instruction ID: ddf1d3ec8e4d407895b63ef685cdc782effeb552cdf100642b23d453c19a4bc9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a233297c88ebed2e631ec438d1cd10e1b0e3e5055da52990d200b0771bd9e9d4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A42D422B0B68256EB18DB75CA913FD77A1EF51344F800139DB1E936AADF79E529C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4317C90 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: LongWindow
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1378638983-0
                                                                                                                                                                                                                                                      • Opcode ID: ec5a4545f448579742f63618fa41d237d2c116c8dac8a7d8a5a4bc6339973995
                                                                                                                                                                                                                                                      • Instruction ID: ed58387424f69459039897aa4e57b871bda63840a4afc8d169d2a37ad2b68999
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec5a4545f448579742f63618fa41d237d2c116c8dac8a7d8a5a4bc6339973995
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA01A232E09F94C6E6549F17BD8106977A5FB99FC0B084132DF4857769CE38D441C780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4311EA0 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 9acbb5483d70c5b07c4dcb4646599c7b8855d9bcc00b9a93284f9ad307e5deb3
                                                                                                                                                                                                                                                      • Instruction ID: b6ec7bb57add5d00e275433a8bba68164e99d46ea453cd99202ffdc0c74e428a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9acbb5483d70c5b07c4dcb4646599c7b8855d9bcc00b9a93284f9ad307e5deb3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFE12722A0AA828BEF60CF2EA8842BD7B90FB64748F154135DB5ED7765DE3CE4418710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4313404 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3ae9bacb7876dbc4cad2598336f428c4a3e3328114bcaec75bbf9fd027b82779
                                                                                                                                                                                                                                                      • Instruction ID: 3513e074d3bbf53925e15a3c35118f72440a9c4d166ebaec7ab9f5f09db18e40
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ae9bacb7876dbc4cad2598336f428c4a3e3328114bcaec75bbf9fd027b82779
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4B1D0A2B06BC592EE18CA6ADA887E9A391FB45FC4F488036DE1D87751DF3CE155C310
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43048E8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3340455307-0
                                                                                                                                                                                                                                                      • Opcode ID: a2359c96f1824a976a77550de9c29f4247eead3f480e8083da65659be86c6767
                                                                                                                                                                                                                                                      • Instruction ID: b4b17eab391c89ad35e38c6ad30aae02c2e355fb2cad3b9c0aae8859e174400c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2359c96f1824a976a77550de9c29f4247eead3f480e8083da65659be86c6767
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B412722B16E9246FB68DF23BD8177A2252FBD4794F148234DE0D87764DE3CE5428744
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430DF4C Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 0 7ff6a430df4c-7ff6a430dfa0 call 7ff6a43223d0 GetModuleHandleW 3 7ff6a430dff7-7ff6a430e321 0->3 4 7ff6a430dfa2-7ff6a430dfb5 GetProcAddress 0->4 7 7ff6a430e327-7ff6a430e330 call 7ff6a432b708 3->7 8 7ff6a430e47f-7ff6a430e49d call 7ff6a4306414 call 7ff6a4307db4 3->8 5 7ff6a430dfb7-7ff6a430dfc6 4->5 6 7ff6a430dfcf-7ff6a430dfe2 GetProcAddress 4->6 5->6 6->3 10 7ff6a430dfe4-7ff6a430dff4 6->10 7->8 16 7ff6a430e336-7ff6a430e379 call 7ff6a4306414 CreateFileW 7->16 19 7ff6a430e4a1-7ff6a430e4ab call 7ff6a4305164 8->19 10->3 22 7ff6a430e46c-7ff6a430e47a CloseHandle call 7ff6a42f1fa0 16->22 23 7ff6a430e37f-7ff6a430e392 SetFilePointer 16->23 28 7ff6a430e4ad-7ff6a430e4b8 call 7ff6a430dd04 19->28 29 7ff6a430e4e0-7ff6a430e528 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a4308050 call 7ff6a42f1fa0 call 7ff6a430327c 19->29 22->8 23->22 26 7ff6a430e398-7ff6a430e3ba ReadFile 23->26 26->22 27 7ff6a430e3c0-7ff6a430e3ce 26->27 30 7ff6a430e77c-7ff6a430e783 call 7ff6a43225a4 27->30 31 7ff6a430e3d4-7ff6a430e428 call 7ff6a43278fc call 7ff6a42f129c 27->31 28->29 41 7ff6a430e4ba-7ff6a430e4de CompareStringW 28->41 68 7ff6a430e52d-7ff6a430e530 29->68 49 7ff6a430e43f-7ff6a430e455 call 7ff6a430d05c 31->49 41->29 44 7ff6a430e539-7ff6a430e542 41->44 44->19 47 7ff6a430e548 44->47 50 7ff6a430e54d-7ff6a430e550 47->50 62 7ff6a430e457-7ff6a430e467 call 7ff6a42f1fa0 * 2 49->62 63 7ff6a430e42a-7ff6a430e43a call 7ff6a430dd04 49->63 53 7ff6a430e5bb-7ff6a430e5be 50->53 54 7ff6a430e552-7ff6a430e555 50->54 57 7ff6a430e73e-7ff6a430e77b call 7ff6a42f1fa0 * 2 call 7ff6a43222a0 53->57 58 7ff6a430e5c4-7ff6a430e5d7 call 7ff6a4307e70 call 7ff6a4305164 53->58 59 7ff6a430e559-7ff6a430e5a9 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a4308050 call 7ff6a42f1fa0 call 7ff6a430327c 54->59 82 7ff6a430e5dd-7ff6a430e67d call 7ff6a430dd04 * 2 call 7ff6a430aaa0 call 7ff6a430da14 call 7ff6a430aaa0 call 7ff6a430dba8 call 7ff6a431872c call 7ff6a42f19e0 58->82 83 7ff6a430e682-7ff6a430e6cf call 7ff6a430da14 AllocConsole 58->83 107 7ff6a430e5b8 59->107 108 7ff6a430e5ab-7ff6a430e5b4 59->108 62->22 63->49 75 7ff6a430e54a 68->75 76 7ff6a430e532 68->76 75->50 76->44 100 7ff6a430e730-7ff6a430e737 call 7ff6a42f19e0 ExitProcess 82->100 94 7ff6a430e72c 83->94 95 7ff6a430e6d1-7ff6a430e726 GetCurrentProcessId AttachConsole call 7ff6a430e7e4 call 7ff6a430e7d4 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->100 95->94 107->53 108->59 112 7ff6a430e5b6 108->112 112->53
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                                                                                                                                                                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                                                                                                                                                      • API String ID: 1496594111-2013832382
                                                                                                                                                                                                                                                      • Opcode ID: 3aa8c28f9120c02d340578887b64a391ce3782a5a0e6be7639438d4844472d07
                                                                                                                                                                                                                                                      • Instruction ID: a3c206c3808b5780fcb149d1ea2e9470df6b5bd73ed995a1d37783f3c7284970
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3aa8c28f9120c02d340578887b64a391ce3782a5a0e6be7639438d4844472d07
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25321B35A0AF8295EB119F62EC812E973A4FF84354F900236DA4D867B9EF7CE654C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430989C Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4308E18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A4308F4D
                                                                                                                                                                                                                                                      • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6A4309F35
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A430A3EF
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A430A3F5
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4310B3C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6A4310AC4), ref: 00007FF6A4310B69
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                                                                                                                                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                                                                                                                                                      • API String ID: 3629253777-3268106645
                                                                                                                                                                                                                                                      • Opcode ID: 66f2588a416ec8c83bda61d0c18cb39f48cae60feca6065f517ad6e53dbae03f
                                                                                                                                                                                                                                                      • Instruction ID: ba7e06813894a676c505f3c9ea5d043bdbac559668587847145deb77f79f93f4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66f2588a416ec8c83bda61d0c18cb39f48cae60feca6065f517ad6e53dbae03f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A962B122A1AE4296EB10DB26DCC42BE7365FF90784F805231DA5E876E5EF7CE944C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4321880 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1921 7ff6a4321880-7ff6a4321909 call 7ff6a43214d8 1924 7ff6a432190b-7ff6a432192f call 7ff6a43217e8 RaiseException 1921->1924 1925 7ff6a4321934-7ff6a4321951 1921->1925 1931 7ff6a4321b38-7ff6a4321b55 1924->1931 1927 7ff6a4321966-7ff6a432196a 1925->1927 1928 7ff6a4321953-7ff6a4321964 1925->1928 1930 7ff6a432196d-7ff6a4321979 1927->1930 1928->1930 1932 7ff6a432197b-7ff6a432198d 1930->1932 1933 7ff6a432199a-7ff6a432199d 1930->1933 1941 7ff6a4321b09-7ff6a4321b13 1932->1941 1942 7ff6a4321993 1932->1942 1934 7ff6a43219a3-7ff6a43219a6 1933->1934 1935 7ff6a4321a44-7ff6a4321a4b 1933->1935 1938 7ff6a43219a8-7ff6a43219bb 1934->1938 1939 7ff6a43219bd-7ff6a43219d2 LoadLibraryExA 1934->1939 1936 7ff6a4321a4d-7ff6a4321a5c 1935->1936 1937 7ff6a4321a5f-7ff6a4321a62 1935->1937 1936->1937 1943 7ff6a4321a68-7ff6a4321a6c 1937->1943 1944 7ff6a4321b05 1937->1944 1938->1939 1945 7ff6a4321a29-7ff6a4321a32 1938->1945 1939->1945 1946 7ff6a43219d4-7ff6a43219e7 GetLastError 1939->1946 1951 7ff6a4321b30 call 7ff6a43217e8 1941->1951 1952 7ff6a4321b15-7ff6a4321b26 1941->1952 1942->1933 1949 7ff6a4321a9b-7ff6a4321aae GetProcAddress 1943->1949 1950 7ff6a4321a6e-7ff6a4321a72 1943->1950 1944->1941 1955 7ff6a4321a3d 1945->1955 1956 7ff6a4321a34-7ff6a4321a37 FreeLibrary 1945->1956 1953 7ff6a43219e9-7ff6a43219fc 1946->1953 1954 7ff6a43219fe-7ff6a4321a24 call 7ff6a43217e8 RaiseException 1946->1954 1949->1944 1960 7ff6a4321ab0-7ff6a4321ac3 GetLastError 1949->1960 1950->1949 1957 7ff6a4321a74-7ff6a4321a7f 1950->1957 1963 7ff6a4321b35 1951->1963 1952->1951 1953->1945 1953->1954 1954->1931 1955->1935 1956->1955 1957->1949 1961 7ff6a4321a81-7ff6a4321a88 1957->1961 1965 7ff6a4321ada-7ff6a4321b01 call 7ff6a43217e8 RaiseException call 7ff6a43214d8 1960->1965 1966 7ff6a4321ac5-7ff6a4321ad8 1960->1966 1961->1949 1968 7ff6a4321a8a-7ff6a4321a8f 1961->1968 1963->1931 1965->1944 1966->1944 1966->1965 1968->1949 1971 7ff6a4321a91-7ff6a4321a99 1968->1971 1971->1944 1971->1949
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                                                                                                                                                                                      • String ID: H
                                                                                                                                                                                                                                                      • API String ID: 3432403771-2852464175
                                                                                                                                                                                                                                                      • Opcode ID: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                                                                                                                                                                                                                                      • Instruction ID: 55abb9e914eb81a728b4f7438e2370e90ae2b464f35f5a20bdcd6f8975d09f0e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72915826A06F128AEF14CF66DD806AC73B0FB18B98B494535DE0D97B64EF78E445C380
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431F460 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 285windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1974 7ff6a431f460-7ff6a431f4a3 1975 7ff6a431f4a9-7ff6a431f4e5 call 7ff6a4323c70 1974->1975 1976 7ff6a431f814-7ff6a431f839 call 7ff6a42f1fa0 call 7ff6a43222a0 1974->1976 1982 7ff6a431f4e7 1975->1982 1983 7ff6a431f4ea-7ff6a431f4f1 1975->1983 1982->1983 1985 7ff6a431f4f3-7ff6a431f4f7 1983->1985 1986 7ff6a431f502-7ff6a431f506 1983->1986 1989 7ff6a431f4f9 1985->1989 1990 7ff6a431f4fc-7ff6a431f500 1985->1990 1987 7ff6a431f508 1986->1987 1988 7ff6a431f50b-7ff6a431f516 1986->1988 1987->1988 1991 7ff6a431f5a8 1988->1991 1992 7ff6a431f51c 1988->1992 1989->1990 1990->1988 1994 7ff6a431f5ac-7ff6a431f5af 1991->1994 1993 7ff6a431f522-7ff6a431f529 1992->1993 1995 7ff6a431f52b 1993->1995 1996 7ff6a431f52e-7ff6a431f533 1993->1996 1997 7ff6a431f5b7-7ff6a431f5ba 1994->1997 1998 7ff6a431f5b1-7ff6a431f5b5 1994->1998 1995->1996 1999 7ff6a431f565-7ff6a431f570 1996->1999 2000 7ff6a431f535 1996->2000 2001 7ff6a431f5e0-7ff6a431f5f3 call 7ff6a430636c 1997->2001 2002 7ff6a431f5bc-7ff6a431f5c3 1997->2002 1998->1997 1998->2001 2003 7ff6a431f572 1999->2003 2004 7ff6a431f575-7ff6a431f57a 1999->2004 2005 7ff6a431f54a-7ff6a431f550 2000->2005 2019 7ff6a431f618-7ff6a431f66d call 7ff6a43278fc call 7ff6a42f129c call 7ff6a4303268 call 7ff6a42f1fa0 2001->2019 2020 7ff6a431f5f5-7ff6a431f613 call 7ff6a4311344 2001->2020 2002->2001 2006 7ff6a431f5c5-7ff6a431f5dc 2002->2006 2003->2004 2008 7ff6a431f83a-7ff6a431f841 2004->2008 2009 7ff6a431f580-7ff6a431f587 2004->2009 2010 7ff6a431f537-7ff6a431f53e 2005->2010 2011 7ff6a431f552 2005->2011 2006->2001 2015 7ff6a431f846-7ff6a431f84b 2008->2015 2016 7ff6a431f843 2008->2016 2013 7ff6a431f589 2009->2013 2014 7ff6a431f58c-7ff6a431f592 2009->2014 2017 7ff6a431f540 2010->2017 2018 7ff6a431f543-7ff6a431f548 2010->2018 2011->1999 2013->2014 2014->2008 2023 7ff6a431f598-7ff6a431f5a2 2014->2023 2024 7ff6a431f84d-7ff6a431f854 2015->2024 2025 7ff6a431f85e-7ff6a431f866 2015->2025 2016->2015 2017->2018 2018->2005 2026 7ff6a431f554-7ff6a431f55b 2018->2026 2041 7ff6a431f66f-7ff6a431f6bd call 7ff6a43278fc call 7ff6a42f129c call 7ff6a4305b20 call 7ff6a42f1fa0 2019->2041 2042 7ff6a431f6c2-7ff6a431f6cf ShellExecuteExW 2019->2042 2020->2019 2023->1991 2023->1993 2029 7ff6a431f856 2024->2029 2030 7ff6a431f859 2024->2030 2031 7ff6a431f868 2025->2031 2032 7ff6a431f86b-7ff6a431f876 2025->2032 2033 7ff6a431f55d 2026->2033 2034 7ff6a431f560 2026->2034 2029->2030 2030->2025 2031->2032 2032->1994 2033->2034 2034->1999 2041->2042 2043 7ff6a431f7c6-7ff6a431f7ce 2042->2043 2044 7ff6a431f6d5-7ff6a431f6df 2042->2044 2048 7ff6a431f7d0-7ff6a431f7e6 2043->2048 2049 7ff6a431f802-7ff6a431f80f 2043->2049 2046 7ff6a431f6ef-7ff6a431f6f2 2044->2046 2047 7ff6a431f6e1-7ff6a431f6e4 2044->2047 2052 7ff6a431f70e-7ff6a431f721 WaitForInputIdle call 7ff6a431fda4 2046->2052 2053 7ff6a431f6f4-7ff6a431f6ff IsWindowVisible 2046->2053 2047->2046 2051 7ff6a431f6e6-7ff6a431f6ed 2047->2051 2054 7ff6a431f7e8-7ff6a431f7fb 2048->2054 2055 7ff6a431f7fd call 7ff6a432218c 2048->2055 2049->1976 2051->2046 2057 7ff6a431f763-7ff6a431f770 CloseHandle 2051->2057 2067 7ff6a431f726-7ff6a431f72d 2052->2067 2053->2052 2058 7ff6a431f701-7ff6a431f70c ShowWindow 2053->2058 2054->2055 2060 7ff6a431f87b-7ff6a431f883 call 7ff6a4327884 2054->2060 2055->2049 2065 7ff6a431f772-7ff6a431f783 call 7ff6a4311344 2057->2065 2066 7ff6a431f785-7ff6a431f78c 2057->2066 2058->2052 2065->2066 2071 7ff6a431f7ae-7ff6a431f7b0 2065->2071 2066->2071 2072 7ff6a431f78e-7ff6a431f791 2066->2072 2067->2057 2073 7ff6a431f72f-7ff6a431f732 2067->2073 2071->2043 2077 7ff6a431f7b2-7ff6a431f7b5 2071->2077 2072->2071 2076 7ff6a431f793-7ff6a431f7a8 2072->2076 2073->2057 2078 7ff6a431f734-7ff6a431f745 GetExitCodeProcess 2073->2078 2076->2071 2077->2043 2081 7ff6a431f7b7-7ff6a431f7c5 ShowWindow 2077->2081 2078->2057 2079 7ff6a431f747-7ff6a431f75c 2078->2079 2079->2057 2081->2043
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: .exe$.inf$Install$p
                                                                                                                                                                                                                                                      • API String ID: 148627002-3607691742
                                                                                                                                                                                                                                                      • Opcode ID: ad81357b6ea3f931eb0c152ccda9f77bc0827646f8ee8761dc8d6f8e26ea1a75
                                                                                                                                                                                                                                                      • Instruction ID: 7482329e1f1a3c09c788f5b09141ad092a83c17670f373bac1de1a0e6b5d335e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad81357b6ea3f931eb0c152ccda9f77bc0827646f8ee8761dc8d6f8e26ea1a75
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACC14862F1AE0285FE10CB2ADDD427D23B1AF89B84F444531DA4E87AB5DF3CE895C214
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4317AA8 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterUpdate
                                                                                                                                                                                                                                                      • String ID: RarHtmlClassName
                                                                                                                                                                                                                                                      • API String ID: 2859687067-1658105358
                                                                                                                                                                                                                                                      • Opcode ID: e61806d4995b6197c20590cc1e84a9d2430e7e9d2d5b3509b02ee98fded6cc23
                                                                                                                                                                                                                                                      • Instruction ID: aa1c06b99e6c17fcfe064866595e6e8092128c37021d7c19cbc1531195f0756a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e61806d4995b6197c20590cc1e84a9d2430e7e9d2d5b3509b02ee98fded6cc23
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88518322A0AF828AEA649F26E89537A6360FF85780F444535DE8E87B65DF3DE0458700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431F024 Relevance: 16.6, APIs: 11, Instructions: 102COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ButtonChecked$Message$Window$DestroyDialogDispatchItemPeekShowTranslate
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1967028048-0
                                                                                                                                                                                                                                                      • Opcode ID: d034e05cf2ee9d9bbd0f2927dddd7a5f6895878a46b9a51b2d75114531de0697
                                                                                                                                                                                                                                                      • Instruction ID: 8c49d66b3b9fa3a7e7b3af677d1b85edd00099c5d1ba12422d6b0ebba1619625
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d034e05cf2ee9d9bbd0f2927dddd7a5f6895878a46b9a51b2d75114531de0697
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7741DC25B15E428AF7408F66EC51BAE33A0EB89B98F400035DD0E87BA5CF7DE449C750
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431A3C0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 257COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 2708 7ff6a431a3c0-7ff6a431a3f9 2709 7ff6a431a68b-7ff6a431a6ae call 7ff6a43222a0 2708->2709 2710 7ff6a431a3ff-7ff6a431a4ee call 7ff6a431cd78 call 7ff6a43278fc call 7ff6a42f129c call 7ff6a43278fc call 7ff6a42f129c call 7ff6a43278fc call 7ff6a42f129c call 7ff6a431a7b4 2708->2710 2728 7ff6a431a4f3-7ff6a431a4f5 2710->2728 2729 7ff6a431a4f7-7ff6a431a4fb 2728->2729 2730 7ff6a431a4fd 2728->2730 2729->2730 2731 7ff6a431a500-7ff6a431a50d 2729->2731 2730->2731 2732 7ff6a431a50f-7ff6a431a521 2731->2732 2733 7ff6a431a541-7ff6a431a55b 2731->2733 2734 7ff6a431a53c call 7ff6a432218c 2732->2734 2735 7ff6a431a523-7ff6a431a536 2732->2735 2736 7ff6a431a55d-7ff6a431a56f 2733->2736 2737 7ff6a431a58f-7ff6a431a5a9 2733->2737 2734->2733 2735->2734 2738 7ff6a431a6b5-7ff6a431a6ba call 7ff6a4327884 2735->2738 2740 7ff6a431a58a call 7ff6a432218c 2736->2740 2741 7ff6a431a571-7ff6a431a584 2736->2741 2742 7ff6a431a5ab-7ff6a431a5bd 2737->2742 2743 7ff6a431a5dd-7ff6a431a5e0 2737->2743 2745 7ff6a431a6bb-7ff6a431a6c0 call 7ff6a4327884 2738->2745 2740->2737 2741->2740 2741->2745 2747 7ff6a431a5d8 call 7ff6a432218c 2742->2747 2748 7ff6a431a5bf-7ff6a431a5d2 2742->2748 2749 7ff6a431a606-7ff6a431a60e 2743->2749 2750 7ff6a431a5e2-7ff6a431a5e9 2743->2750 2755 7ff6a431a6c1-7ff6a431a6c6 call 7ff6a4327884 2745->2755 2747->2743 2748->2747 2748->2755 2751 7ff6a431a610-7ff6a431a622 2749->2751 2752 7ff6a431a642-7ff6a431a65b 2749->2752 2750->2749 2757 7ff6a431a5eb-7ff6a431a605 call 7ff6a42f20b0 2750->2757 2759 7ff6a431a63d call 7ff6a432218c 2751->2759 2760 7ff6a431a624-7ff6a431a637 2751->2760 2752->2709 2762 7ff6a431a65d-7ff6a431a66f 2752->2762 2765 7ff6a431a6c7-7ff6a431a717 call 7ff6a4327884 call 7ff6a42f255c 2755->2765 2757->2749 2759->2752 2760->2759 2760->2765 2767 7ff6a431a686 call 7ff6a432218c 2762->2767 2768 7ff6a431a671-7ff6a431a684 2762->2768 2778 7ff6a431a719-7ff6a431a71f 2765->2778 2779 7ff6a431a792 2765->2779 2767->2709 2768->2767 2770 7ff6a431a6af-7ff6a431a6b4 call 7ff6a4327884 2768->2770 2770->2738 2780 7ff6a431a781-7ff6a431a78c SetDlgItemTextW 2778->2780 2781 7ff6a431a721-7ff6a431a724 2778->2781 2782 7ff6a431a797-7ff6a431a7b2 call 7ff6a43222a0 2779->2782 2780->2779 2783 7ff6a431a726-7ff6a431a72b 2781->2783 2784 7ff6a431a731-7ff6a431a733 2781->2784 2786 7ff6a431a72d-7ff6a431a72f 2783->2786 2787 7ff6a431a742-7ff6a431a77f call 7ff6a435e170 call 7ff6a430babc call 7ff6a430bb2c 2783->2787 2784->2782 2786->2784 2789 7ff6a431a735 2786->2789 2791 7ff6a431a737-7ff6a431a740 call 7ff6a435e168 2787->2791 2789->2791 2791->2779
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskOpen
                                                                                                                                                                                                                                                      • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                                                                                                                                                      • API String ID: 3793078965-1315819833
                                                                                                                                                                                                                                                      • Opcode ID: b078900cb13599d62c0801072d2a32f62caee5a0f070c48cbb4a346a8e4dbcf7
                                                                                                                                                                                                                                                      • Instruction ID: fdafa926a18b4328da3a95b3662ce6562f72f886a1e527c72e5d39001b88383a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b078900cb13599d62c0801072d2a32f62caee5a0f070c48cbb4a346a8e4dbcf7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FB1B062F0AB4285FF009BAAD8842BC3372AF45398F404235DA5CA6AE9DE7CE545C350
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4316E00 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 2799 7ff6a4316e00-7ff6a4316e37 2800 7ff6a4316e3d-7ff6a4316e81 call 7ff6a4316c5c call 7ff6a43278fc call 7ff6a42f129c 2799->2800 2801 7ff6a43170d4-7ff6a43170fa call 7ff6a43222a0 2799->2801 2810 7ff6a4316e8d-7ff6a4316eaa call 7ff6a4311374 2800->2810 2811 7ff6a4316e83-7ff6a4316e8b 2800->2811 2814 7ff6a4316ecb-7ff6a4316ef0 call 7ff6a43278fc call 7ff6a42f2034 2810->2814 2815 7ff6a4316eac-7ff6a4316ec6 call 7ff6a43278fc call 7ff6a42f2034 2810->2815 2811->2810 2811->2811 2823 7ff6a4316f11-7ff6a4316f19 2814->2823 2824 7ff6a4316ef2-7ff6a4316f0c call 7ff6a43278fc call 7ff6a42f2034 2814->2824 2815->2814 2826 7ff6a4316f1f-7ff6a4316f39 call 7ff6a4317344 2823->2826 2827 7ff6a4316fb1-7ff6a4317039 call 7ff6a4310f80 call 7ff6a4327930 call 7ff6a4317e6c GlobalAlloc call 7ff6a430d7cc call 7ff6a435e340 2823->2827 2824->2823 2835 7ff6a4316fa8-7ff6a4316fac call 7ff6a42f1fa0 2826->2835 2836 7ff6a4316f3b-7ff6a4316f43 2826->2836 2858 7ff6a431703b-7ff6a4317046 call 7ff6a4316c94 2827->2858 2859 7ff6a431705d-7ff6a4317065 2827->2859 2835->2827 2839 7ff6a4316f77-7ff6a4316fa4 call 7ff6a43235c0 2836->2839 2840 7ff6a4316f45-7ff6a4316f57 2836->2840 2839->2835 2843 7ff6a4316f59-7ff6a4316f6c 2840->2843 2844 7ff6a4316f72 call 7ff6a432218c 2840->2844 2843->2844 2847 7ff6a4317101-7ff6a4317106 call 7ff6a4327884 2843->2847 2844->2839 2853 7ff6a4317107-7ff6a431710f call 7ff6a4327884 2847->2853 2863 7ff6a431704b-7ff6a431705c 2858->2863 2861 7ff6a4317067-7ff6a4317074 2859->2861 2862 7ff6a4317090-7ff6a43170a4 2859->2862 2864 7ff6a4317076-7ff6a4317089 2861->2864 2865 7ff6a431708b call 7ff6a432218c 2861->2865 2862->2801 2866 7ff6a43170a6-7ff6a43170b8 2862->2866 2863->2859 2864->2853 2864->2865 2865->2862 2868 7ff6a43170ba-7ff6a43170cd 2866->2868 2869 7ff6a43170cf call 7ff6a432218c 2866->2869 2868->2869 2871 7ff6a43170fb-7ff6a4317100 call 7ff6a4327884 2868->2871 2869->2801 2871->2847
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
                                                                                                                                                                                                                                                      • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                                                                                                      • API String ID: 2721297748-1533471033
                                                                                                                                                                                                                                                      • Opcode ID: c260321460ef5b9ecb46faae32cf6e49ce157a8f6490be7222d78fb8d8663caa
                                                                                                                                                                                                                                                      • Instruction ID: a98a993268e64e140e9b9f67c5bc524d0649055f025552e70f1af331f790d949
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c260321460ef5b9ecb46faae32cf6e49ce157a8f6490be7222d78fb8d8663caa
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34816A62F1AE4286EF00DBAADC802ED7371AF44798F444535DE1D976AAEF38E506C350
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FEF20 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: 2d448299aaad36beca9c077f087317c804cd0ab9297317bbf8502f44035f40aa
                                                                                                                                                                                                                                                      • Instruction ID: 60174bf2e34efe7325c4a521b2fd360c36b4278b1f4a93ae78a9908dd798881d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d448299aaad36beca9c077f087317c804cd0ab9297317bbf8502f44035f40aa
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B12BE62B0AB4285FB10DBA5D9842BD2371AF457A8F800232DA5C97AF9DF3DE595C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302480 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 3963 7ff6a4302480-7ff6a43024bb 3964 7ff6a43024bd-7ff6a43024c4 3963->3964 3965 7ff6a43024c6 3963->3965 3964->3965 3966 7ff6a43024c9-7ff6a4302538 3964->3966 3965->3966 3967 7ff6a430253d-7ff6a4302568 CreateFileW 3966->3967 3968 7ff6a430253a 3966->3968 3969 7ff6a430256e-7ff6a430259e GetLastError call 7ff6a43069cc 3967->3969 3970 7ff6a4302648-7ff6a430264d 3967->3970 3968->3967 3979 7ff6a43025a0-7ff6a43025ea CreateFileW GetLastError 3969->3979 3980 7ff6a43025ec 3969->3980 3972 7ff6a4302653-7ff6a4302657 3970->3972 3974 7ff6a4302665-7ff6a4302669 3972->3974 3975 7ff6a4302659-7ff6a430265c 3972->3975 3977 7ff6a430268f-7ff6a43026a3 3974->3977 3978 7ff6a430266b-7ff6a430266f 3974->3978 3975->3974 3976 7ff6a430265e 3975->3976 3976->3974 3982 7ff6a43026a5-7ff6a43026b0 3977->3982 3983 7ff6a43026cc-7ff6a43026f5 call 7ff6a43222a0 3977->3983 3978->3977 3981 7ff6a4302671-7ff6a4302689 SetFileTime 3978->3981 3984 7ff6a43025f2-7ff6a43025fa 3979->3984 3980->3984 3981->3977 3985 7ff6a43026b2-7ff6a43026ba 3982->3985 3986 7ff6a43026c8 3982->3986 3987 7ff6a4302633-7ff6a4302646 3984->3987 3988 7ff6a43025fc-7ff6a4302613 3984->3988 3990 7ff6a43026bf-7ff6a43026c3 call 7ff6a42f20b0 3985->3990 3991 7ff6a43026bc 3985->3991 3986->3983 3987->3972 3992 7ff6a4302615-7ff6a4302628 3988->3992 3993 7ff6a430262e call 7ff6a432218c 3988->3993 3990->3986 3991->3990 3992->3993 3996 7ff6a43026f6-7ff6a43026fb call 7ff6a4327884 3992->3996 3993->3987
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3536497005-0
                                                                                                                                                                                                                                                      • Opcode ID: 96e9081ff4bc34e56434afd79359cf8921b737578e2ea268c4aacff097592dd7
                                                                                                                                                                                                                                                      • Instruction ID: 463c61caebb5d20bc9e1a166ff9b50bcbee12f1802d8babde52eb7c6c97cb141
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96e9081ff4bc34e56434afd79359cf8921b737578e2ea268c4aacff097592dd7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72611666A09B4186F7248B2AE88036E67B1F7857A8F104334DFAD43AE8CF7DD4948744
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431FA00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82registryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CloseCreateValue_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: Software\WinRAR SFX
                                                                                                                                                                                                                                                      • API String ID: 207320342-754673328
                                                                                                                                                                                                                                                      • Opcode ID: e8e90543992a3f9c6fbb3990f7c2891726737094e29d9278324ed48cb8169734
                                                                                                                                                                                                                                                      • Instruction ID: f9f9d4f98b330bf4ff21f06d8737548b50f97d883159caad0b02919537cd3a50
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8e90543992a3f9c6fbb3990f7c2891726737094e29d9278324ed48cb8169734
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83415272605E4289EB10CF26ECD56AD33A1FB88798F405631EA5C83BA8DF7CD145C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431FDA4 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3621893840-0
                                                                                                                                                                                                                                                      • Opcode ID: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                                                                                                                                                                                                                                      • Instruction ID: 73fb22ffdf2cc39b03c628b971830dc5ad351401e1dc2eaccdf187e9867e34fd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76F06221B3985683FB509B36ECD5F7A2211FFE4705F941030E64EC18A4DE2CD149C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431AD9C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1266772231-0
                                                                                                                                                                                                                                                      • Opcode ID: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                                                                                                                                                                                                                                      • Instruction ID: 44cec6f51e86523eaf99082628de27a03b1751f5ef65b9e78b5c9fbc5a32cce1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF0EC25B39D5286FB90AB26EDD6A762261BF90705F805031E54EC1864DF2CD208CB11
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4319168 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                                                                                                      • String ID: EDIT
                                                                                                                                                                                                                                                      • API String ID: 4243998846-3080729518
                                                                                                                                                                                                                                                      • Opcode ID: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                                                                                                                                                                                                                      • Instruction ID: bc7c54d9292cfd9ac59e15371eeebc9d4233cfc9762119db41be24abaaf9cf91
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED018121B0AE4381FE60AB27FCD53F66390AF98740F440031CD5E86675DE2CE289C650
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302CA0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileWrite$Handle
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 4209713984-0
                                                                                                                                                                                                                                                      • Opcode ID: 0e2e947f5374c0ddd2130b56bb75e1f08e0d4936f885f01de5306a6f3d1a31f8
                                                                                                                                                                                                                                                      • Instruction ID: 02ef524c3b3741f0074abb73f4ba9a6133c6707a8a91f5153bb57e3fa71a21e5
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e2e947f5374c0ddd2130b56bb75e1f08e0d4936f885f01de5306a6f3d1a31f8
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7051E662B1AE4292FA54CB26DC8477A6360FF84B94F444231EE4D86AF4DF7CE985C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4320360 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$ItemText
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3750147219-0
                                                                                                                                                                                                                                                      • Opcode ID: 371ab75bc071f99a5028cb8c889c15b674a59f1aae7c28277644c138828b408c
                                                                                                                                                                                                                                                      • Instruction ID: 1d1498328f770b37f40643a5b554c59db44874e9936f9959435b4263a3b79a41
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 371ab75bc071f99a5028cb8c889c15b674a59f1aae7c28277644c138828b408c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1551B262F16E5285FA009BA6DC852AD3331AF55BA4F504636DB1C97BE6EF6CD044C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4303644 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2359106489-0
                                                                                                                                                                                                                                                      • Opcode ID: f39be113e418844c050710ae0b9bbff5d1182e893cf4f98cfd5c6eb477310cde
                                                                                                                                                                                                                                                      • Instruction ID: 00d11185832c0f701fb55de7fecb1a553540ba97a9b44169eccf6bb376a04191
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f39be113e418844c050710ae0b9bbff5d1182e893cf4f98cfd5c6eb477310cde
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1831E662A0EF4281EA248B27ADC427D6251FFC8B90F540371EE9DC36E5CF3CE6418600
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4322CEC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1452418845-0
                                                                                                                                                                                                                                                      • Opcode ID: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                                                                                                                                                                                                                      • Instruction ID: b728a954e18f4444a6b44e4a6684092ab8d6cbbe260c4e65e48463be5eee3ca7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6313B21E0FD0246FA58AB67DCD13B93291AF65784F4484B4EA0ECB2F7DE6CE5048691
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4330AF8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6A432C3DB), ref: 00007FF6A4330B11
                                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6A432C3DB), ref: 00007FF6A4330B73
                                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6A432C3DB), ref: 00007FF6A4330BAD
                                                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6A432C3DB), ref: 00007FF6A4330BD7
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1557788787-0
                                                                                                                                                                                                                                                      • Opcode ID: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                                                                                                                                                                                                                                      • Instruction ID: e8b9b0100ec0c5ca777b57e39e8cb5f3ccb999eb262e96a4c3f2b1b9a2b66684
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8215321F1AF5281E6249F136880129F6A4FB54FD4B085174DE9EA3BB8DF7CF4518744
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43022E0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2244327787-0
                                                                                                                                                                                                                                                      • Opcode ID: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                                                                                                                                                                                                                      • Instruction ID: c8529edc637d81b88eafd67b269af9a630ca297cd57c74e140b0e4387fca52f2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E215421E0EE5286EB605B13AC8033D6394FB85B94F148671DA5DCB6A4CF7CEC458752
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430E8C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430EC58: ResetEvent.KERNEL32 ref: 00007FF6A430EC71
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430EC58: ReleaseSemaphore.KERNEL32 ref: 00007FF6A430EC87
                                                                                                                                                                                                                                                      • ReleaseSemaphore.KERNEL32 ref: 00007FF6A430E8F0
                                                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNEL32 ref: 00007FF6A430E90F
                                                                                                                                                                                                                                                      • DeleteCriticalSection.KERNEL32 ref: 00007FF6A430E926
                                                                                                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00007FF6A430E933
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E9D8: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A430E8DB,?,?,?,00007FF6A43045FA,?,?,?), ref: 00007FF6A430E9DF
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E9D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A430E8DB,?,?,?,00007FF6A43045FA,?,?,?), ref: 00007FF6A430E9EA
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2143293610-0
                                                                                                                                                                                                                                                      • Opcode ID: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                                                                                                                                                                                                                                      • Instruction ID: 9c72ff224bad319441cd8dcccf86f04c80521c7cce67f9c13604b8ff4a0124b5
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67014437A15E91A2E648DB22E9C526DA371FB84780F004131DB6D83631CF79F4B4C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FE35C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: DXGIDebug.dll
                                                                                                                                                                                                                                                      • API String ID: 3668304517-540382549
                                                                                                                                                                                                                                                      • Opcode ID: 568566f810dfacac45f341c9d31fb355523afe8cad39105e38284cb17cd2a31a
                                                                                                                                                                                                                                                      • Instruction ID: 206896234735ee6aa843e0ec5effe22be51181049f199f54b39ab7ae639f7b12
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 568566f810dfacac45f341c9d31fb355523afe8cad39105e38284cb17cd2a31a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D71AC72A06B8186EB148F26E9803ADB3A4FB547D4F404235DBAC47BA9DF7CE161C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431AF94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: GlobalResource$AllocBitmapGdipLoadLock$CreateFindFreeFromObjectSizeofUnlock
                                                                                                                                                                                                                                                      • String ID: ]
                                                                                                                                                                                                                                                      • API String ID: 3029289444-3352871620
                                                                                                                                                                                                                                                      • Opcode ID: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                                                                                                                                                                                                                                      • Instruction ID: 02395f06c18a6f70bd297eaca9fb54619b5bdf28944af97107cc2cec7774cae1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48118621B0FE4245FE58EB579ED52799291AF88BC5F080034D95D87BB9DF7CE804CA11
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430EA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Thread$CreatePriority
                                                                                                                                                                                                                                                      • String ID: CreateThread failed
                                                                                                                                                                                                                                                      • API String ID: 2610526550-3849766595
                                                                                                                                                                                                                                                      • Opcode ID: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                                                                                                                                                                                                                      • Instruction ID: 0054e6dd5538b6b27cd50775e2e0cdb3d3d2f9d0052a3c772665066a66bbb76d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9116D31A0AE4282E704DB12FC812A9B371FF84794F944231EA4D82679DF7DE592C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43193EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DirectoryInitializeMallocSystem
                                                                                                                                                                                                                                                      • String ID: riched20.dll
                                                                                                                                                                                                                                                      • API String ID: 174490985-3360196438
                                                                                                                                                                                                                                                      • Opcode ID: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                                                                                                                                                                                                                      • Instruction ID: 9a1c47b87c6dcd38fe2dbf7f404c844bc0734c6154dd6b139a457c4abca84eed
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3F04F71619E4186EB409F61F8956AEB7A0FF88754F400135E68D82B74DF7CE148CB01
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43108DC Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A43184BC: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6A43184EC
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430AAA0: LoadStringW.USER32 ref: 00007FF6A430AB27
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430AAA0: LoadStringW.USER32 ref: 00007FF6A430AB40
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A42F1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A42F1FFB
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A42F129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A42F1396
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A432013B
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A4320141
                                                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32 ref: 00007FF6A4320172
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3106221260-0
                                                                                                                                                                                                                                                      • Opcode ID: 3b8d238b842e59327892d7a9c381640647aeb18a20af9d6b9c58c04cd74eeba4
                                                                                                                                                                                                                                                      • Instruction ID: 9bfdd96ad5e3e31c9488ca7db7241676278d9047b326c39a3cc624707031ea11
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b8d238b842e59327892d7a9c381640647aeb18a20af9d6b9c58c04cd74eeba4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C551C462F06A4246FB109BA6DC852FD3362AF94794F804235DF1D977EAEE6CE500C380
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431A7B4 Relevance: 4.6, APIs: 3, Instructions: 133registryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CloseOpen
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 47109696-0
                                                                                                                                                                                                                                                      • Opcode ID: 499a6763844c5f7a569635e27cfe6ae43fa4c958dfd53777d955342ddd3d8861
                                                                                                                                                                                                                                                      • Instruction ID: 0e59b625348ea745f9b038467dc8b3e4d44e6958a5efe5ae842f47ed678f335f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 499a6763844c5f7a569635e27cfe6ae43fa4c958dfd53777d955342ddd3d8861
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA519D62B16A0689EF10DFBAD8846AD2371FB48B88B444535DE5D97BA8DE38D490C350
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2371198981-0
                                                                                                                                                                                                                                                      • Opcode ID: 167dfa24c7fb5b4f03b4fdd6580a677e64002c809ca30fb35d8145d0a6f10d84
                                                                                                                                                                                                                                                      • Instruction ID: 04f7c9881cbc7d7a354265f6ee77f792e3b2bfcb4270e2c9f9a026733b38f95e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 167dfa24c7fb5b4f03b4fdd6580a677e64002c809ca30fb35d8145d0a6f10d84
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26412461B0AA4681EA04DB52EB842796351EF04BE0FD44631DE7C87BF9EF3CE4A58304
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43020F4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2272807158-0
                                                                                                                                                                                                                                                      • Opcode ID: fb5c64d1f8032ebf61ecf4449d8b2102e11d21436edbdafeba6705f33b7752f9
                                                                                                                                                                                                                                                      • Instruction ID: 60b8c1d0168ce8b85ab46a837ad5ec005988c0a69c1eef9540a479b1b6d8d391
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb5c64d1f8032ebf61ecf4449d8b2102e11d21436edbdafeba6705f33b7752f9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8241B573A09B8182EB248B56E88426963A1FB857B4F105734DFBD47AE5CF7CE8918704
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2176759853-0
                                                                                                                                                                                                                                                      • Opcode ID: fa376e6cf3c94224980e1d9c943e6820de754cda6ff50216ef5d929fb6ca330a
                                                                                                                                                                                                                                                      • Instruction ID: 3d5fe9c68afa233b34fb8e795cd509d09e2e96ed0adadb2bee96b8b274656827
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa376e6cf3c94224980e1d9c943e6820de754cda6ff50216ef5d929fb6ca330a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB21A462A1AB8181EA149B66BD8017AB360FF89BD0F544235EB9D43BA9CF3CD191C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4311F14 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: std::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1875163511-0
                                                                                                                                                                                                                                                      • Opcode ID: ca0a1d78d8e6314f917be1bc01cc39d67f07e0dfb053114c640b6c34b82875d2
                                                                                                                                                                                                                                                      • Instruction ID: 811f1a76747383ba4ade48b9384550d13532094bddb0dbaa736a0da46181e378
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca0a1d78d8e6314f917be1bc01cc39d67f07e0dfb053114c640b6c34b82875d2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC31D522A0AE8691FF64971AE8843F973A0FB54784F540531D75C926F5CFBCE946C301
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4303CF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1203560049-0
                                                                                                                                                                                                                                                      • Opcode ID: 21f673f0b1b21e1c806b71d7983ce794a7d8576a348defe7dddd008c7114c812
                                                                                                                                                                                                                                                      • Instruction ID: dd7405129aa36cea822e8526de9b3cdb1892fb6d49ce30a65fc290b633065480
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21f673f0b1b21e1c806b71d7983ce794a7d8576a348defe7dddd008c7114c812
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF21B822A19E4281EA208B26EC852697361FFC9794F104230EA9DC76E5DF3CD644C640
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430317C Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3118131910-0
                                                                                                                                                                                                                                                      • Opcode ID: 0f937c2f2206f17e136aa9ca44b849dff8f95196abcbcd754bafe0a2f8f578b6
                                                                                                                                                                                                                                                      • Instruction ID: 8d97bed4bcac7cd738362bf0dc870efa171f491e20d6eaa5f14f8af68eb532da
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f937c2f2206f17e136aa9ca44b849dff8f95196abcbcd754bafe0a2f8f578b6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4821CB32A19F8281EA108B26FC8526E7360FFC4B94F500330EA9D86AB5DF3CE240C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430327C Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1203560049-0
                                                                                                                                                                                                                                                      • Opcode ID: 40705733cb67a71df3fff18e5a759fe286a379e9125aaba215c8f3cf6f78a58b
                                                                                                                                                                                                                                                      • Instruction ID: c98ada0577723da1226eff6b1035f04e2da67466120b988957a27b5c003b278e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40705733cb67a71df3fff18e5a759fe286a379e9125aaba215c8f3cf6f78a58b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5217422A19F8182EA108B2AFCC522D7361FBC97A4F544371EA9D87AE5DF3CD5418644
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F255C Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Item$RectText$ClientParentWindowswprintf
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 209416863-0
                                                                                                                                                                                                                                                      • Opcode ID: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                                                                                                                                                                                                                                      • Instruction ID: a3c94c1d4b3f10c69a2cecf05f8deb5736db9775c8576bc9f25672005782a75c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4015E20A0FA4A41FF596752ADD92795391EF86784F880034C84E866BDDE6EF894C311
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FF588 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A42FF8A5
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A42FF8AB
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4303E88: FindClose.KERNEL32(?,?,00000000,00007FF6A4310791), ref: 00007FF6A4303EBD
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3587649625-0
                                                                                                                                                                                                                                                      • Opcode ID: 22f3267453af1bea810c6b9036b67e89873d9ec2deed60e31890ea9e754468c1
                                                                                                                                                                                                                                                      • Instruction ID: fd8fb8d60fc7e74eb25b1a696c30715a4d2003cd7cf1a57311709b72f76629e1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22f3267453af1bea810c6b9036b67e89873d9ec2deed60e31890ea9e754468c1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2691AE33B1AA8190FB10DB64DD802AD6361FF84798F904236EA4C87AB9DF79D595C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: 87b83290662297e5c2129baa50ca266b02a142d2f175bee5a0958314259d1dcd
                                                                                                                                                                                                                                                      • Instruction ID: 7a457cb8b37f2f1c776e99404e28f714c28d4ef04e7f6da3dbe1fae1cf8ef431
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 87b83290662297e5c2129baa50ca266b02a142d2f175bee5a0958314259d1dcd
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2641E222F17A5285FB149BB2DD806FD2320AF44BD8F940235DE1DA7AEDDE39D4928340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302738 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                                                                      • Opcode ID: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                                                                                                                                                                                                                                      • Instruction ID: 1f1ec391b543792e31729271aecd53280d5496e945d1c642af6c0b80e178a031
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12319426B1AE5286EE704B2BDDC06796390AF84FD4F149235DE1D877B1DE3CE9418740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1746051919-0
                                                                                                                                                                                                                                                      • Opcode ID: 71f64fde1668b052c0320d8937d0d2131f92a6a8039284af6fd262a6b65af6e7
                                                                                                                                                                                                                                                      • Instruction ID: 0e092da4921551c6c027fdadb65acdef2dc6bb8c988ee84b96a31678adab12af
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71f64fde1668b052c0320d8937d0d2131f92a6a8039284af6fd262a6b65af6e7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF31F662A1BB4282EA148B55FD8537AB360EF85790F804231EB9C47BA9DF3DE550C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302A90 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File$BuffersFlushTime
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1392018926-0
                                                                                                                                                                                                                                                      • Opcode ID: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                                                                                                                                                                                                                      • Instruction ID: 96058771995a37ae7d7a63926d168d0d04926b1c6ae42507216a0dd77f3c010f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2521B222F0FF4655EEB58A53ED813765690EF857A4F158231DE4C462B1EE3CE88AC300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4322C00 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3548387204-0
                                                                                                                                                                                                                                                      • Opcode ID: bbd2d43b36b52b89431331de28ee176539d548cfe86a01e68d0ef9002ad12b08
                                                                                                                                                                                                                                                      • Instruction ID: dbc6c95fcaec562f1bdbcaeb1215c23f8df5326dc643d3a62ffa2b8dd49889cb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbd2d43b36b52b89431331de28ee176539d548cfe86a01e68d0ef9002ad12b08
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B811A950E1FE4382FA1877B74DD62B921814FB1300FA084F4E90DCA2E3ED2DB85582E2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4316B50 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Rect$ClientCopy
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1880273418-0
                                                                                                                                                                                                                                                      • Opcode ID: c8d15a51e2ff3ea1b28e4d6e7accac91e510c49d43568f8ca48f7429f87b9b95
                                                                                                                                                                                                                                                      • Instruction ID: 42effd549da99ad5d2eee4d8f22b1ac3e38da40015b16802d742165e09583b9d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8d15a51e2ff3ea1b28e4d6e7accac91e510c49d43568f8ca48f7429f87b9b95
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4214A73611B848AE710CF26E89576AB3A0F748BA5F048121DF4D47725DF3DD5A5CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302B70 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                                                                      • Opcode ID: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                                                                                                                                                                                                                      • Instruction ID: 4a4722244f69ee30a467699c33fd4631428c67fc70c22e939eced84a43379de6
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13118721A1AA4181FB508B26ECC12796760FB847B4F548331DA7D966F5CF3DE896C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430EAD4 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6A430EB29,?,?,?,?,00007FF6A4305712,?,?,?,00007FF6A430569E), ref: 00007FF6A430EAD8
                                                                                                                                                                                                                                                      • GetProcessAffinityMask.KERNEL32 ref: 00007FF6A430EAEB
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1231390398-0
                                                                                                                                                                                                                                                      • Opcode ID: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                                                                                                                                                                                                                      • Instruction ID: ff2d8a95c4d237277ea85805cdaaee4900833ace5345365551ef6dc69e1e6f95
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FEE06565F1998686DB498B5AD8955A9A3D1BFC8B40B848136D50BC3624DE2CE5498B00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4322150 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1173176844-0
                                                                                                                                                                                                                                                      • Opcode ID: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                                                                                                                                                                                                                      • Instruction ID: fe4d807db649de58224620b08c9e8ed9bd378910a4a7d27e53acf7e8dd54e148
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8E0EC40E1B90B05F95825A31DE55B521500F787B0E689BB0DB3D982F6AD1CB5A24190
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432D88C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 588628887-0
                                                                                                                                                                                                                                                      • Opcode ID: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                                                                                                                                                                                                                                      • Instruction ID: 9f7b13cdcedbc7124b02ddf682d84e1c023ced0a2e8737ee9b1bb6109848906b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFE0B654E0BE4386FE18ABB39CC51B863D19FA4B41B084074C94DC62B1EE6CA4868690
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: 21b638095f37d2bd2a6dc6f3647a6162e8003e7a4b291dd219459911c498f6b5
                                                                                                                                                                                                                                                      • Instruction ID: 5abb46b0713b22bf5d0a5a70ee948ce281f0de03bf111ff8153db01fa77e2ac2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21b638095f37d2bd2a6dc6f3647a6162e8003e7a4b291dd219459911c498f6b5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67D16F62B0BA8656EA7C8B259A802B967A1FF45BC4F840035CA5D877B9CF3DF4718700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4305254 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1017591355-0
                                                                                                                                                                                                                                                      • Opcode ID: a9299d2a3130dccdd2b512c98cf76da81dd81bba2a2d1ba96f3ce2257837a3a3
                                                                                                                                                                                                                                                      • Instruction ID: c243d53e1e7373e1706fae44bb9cfac63ff2bc365b19abbe595974a24854906d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9299d2a3130dccdd2b512c98cf76da81dd81bba2a2d1ba96f3ce2257837a3a3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8613211E0FE5341FA60DA279C962BE62A0AFC1BD1F644331EE4DC6AF5EE7CE4418210
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43117F0 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E8C4: ReleaseSemaphore.KERNEL32 ref: 00007FF6A430E8F0
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E8C4: FindCloseChangeNotification.KERNEL32 ref: 00007FF6A430E90F
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E8C4: DeleteCriticalSection.KERNEL32 ref: 00007FF6A430E926
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430E8C4: CloseHandle.KERNEL32 ref: 00007FF6A430E933
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A4311A4B
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1624603282-0
                                                                                                                                                                                                                                                      • Opcode ID: 1b4edcf5b0cb869ff0ffe94daee41a327ccc42e13db7b1c1f20f9d504b5db247
                                                                                                                                                                                                                                                      • Instruction ID: ac8869e5e5512568a40e59fb0ff069eb23cc66420ebabd46bcf5271a19f02295
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b4edcf5b0cb869ff0ffe94daee41a327ccc42e13db7b1c1f20f9d504b5db247
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17618162B17E85A2EE08DB6AD9D40BC7365FF45B90F544232DB2D47AE5CF2CE4618340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FECAC Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: 375484ce4ee7e3849f192cbc1300f28bd246348a96fded221c718b05a1e82393
                                                                                                                                                                                                                                                      • Instruction ID: 363e4cc9f7798989567e21463105a5207e8868cc93a88239aa21b9c1bfd8f322
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 375484ce4ee7e3849f192cbc1300f28bd246348a96fded221c718b05a1e82393
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5251D662A0AA4251FB559B2AED843B92751FF85BD4F840136DE4D877BACF3EE491C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FE7B8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4303E88: FindClose.KERNEL32(?,?,00000000,00007FF6A4310791), ref: 00007FF6A4303EBD
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A42FE9A3
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1011579015-0
                                                                                                                                                                                                                                                      • Opcode ID: 7e6327150e3ce0c451cb400d7a8f449b7137c37f6cfba28a80f2350899245dea
                                                                                                                                                                                                                                                      • Instruction ID: f8e26b7b8d8f3bba74d11e2f468b0e779a9d5dd351534b446bea43d39ea2ef99
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e6327150e3ce0c451cb400d7a8f449b7137c37f6cfba28a80f2350899245dea
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8519222A0BA8682FBA1DF19D9C537D2361FF84B84F840135DA4D87AB9CF2ED451C715
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430174C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: e55dea7bcd29b341342e6bf684f764b6e5c4d582af1fa93b218e49353aafdfd6
                                                                                                                                                                                                                                                      • Instruction ID: 57b99873cbc782213ff5b5e7ae40f62ea8bf6de4853a5dc3e5c3668eddb8e49b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e55dea7bcd29b341342e6bf684f764b6e5c4d582af1fa93b218e49353aafdfd6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A141F362B19E9542EE149A17AE8037AA291FB84FC0F448635EF4C8BF6ADF7CD5518340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302F18 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: 9a5379e41a20d7636035a3765cf4300bd485dbe98f70ed31e51e81024c893667
                                                                                                                                                                                                                                                      • Instruction ID: 57bbda825d7e61fba0737139362724145d8275a4e8830afe487dd9509deaf1eb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a5379e41a20d7636035a3765cf4300bd485dbe98f70ed31e51e81024c893667
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF411622A0AF0281EF148B26E9C537923A1EB84FD4F140235EA5D877B9DF3DE541C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4316C94 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ShowWindow
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1268545403-0
                                                                                                                                                                                                                                                      • Opcode ID: cd6566a031b3034a953be0be808e3bde70f55aa3994e52377321e53024056923
                                                                                                                                                                                                                                                      • Instruction ID: 58b7af71547996a73e626cba9f6ab67ef64c20e2ede5e7680316ca4b9610bd81
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd6566a031b3034a953be0be808e3bde70f55aa3994e52377321e53024056923
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7410866B06E1686EB109BAAD9903A82760FB88B88F004432DF0D87BA5DF7DE545C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4308E18 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                                                                                                                                      • Opcode ID: 264543e2084d195ce38f5af35028f8d9bde590914fb0b95daf2c3c5fefd1fbcb
                                                                                                                                                                                                                                                      • Instruction ID: 3ac29c5347ea4020c06f562e5375ac6954d001c26a2933870711a21151219725
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 264543e2084d195ce38f5af35028f8d9bde590914fb0b95daf2c3c5fefd1fbcb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE31D42670AF4581EA04DB6AED8417AA354EB84BE0F648635EF6D47BE5DE7CE081C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 680105476-0
                                                                                                                                                                                                                                                      • Opcode ID: 50d07d94855956e1095a382c3a5f3127cce42c369ffc1bad5d3466efc853872e
                                                                                                                                                                                                                                                      • Instruction ID: 5e239a0fc6d012c50348193dd963437c2bbf9ddfddb4650bea0e4d5cfbfbbf84
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50d07d94855956e1095a382c3a5f3127cce42c369ffc1bad5d3466efc853872e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C821AC2260B75185EA149B92AA80279A250FF15BF0FE40B30DF7D87BE9DE7DE4614344
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431FBE8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: GetDlgItem.USER32 ref: 00007FF6A431F063
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: ShowWindow.USER32 ref: 00007FF6A431F089
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F09E
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F0B6
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F0D7
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F0F3
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F136
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F154
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F168
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F192
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A431F024: IsDlgButtonChecked.USER32 ref: 00007FF6A431F1AA
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A431FC83
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ButtonChecked$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 4003826521-0
                                                                                                                                                                                                                                                      • Opcode ID: cb971a2da5dd52bde981bb7ed32855858490f9ea8129ed2d6666214387655928
                                                                                                                                                                                                                                                      • Instruction ID: 9dc685e1ecb03a85fc8619172f6c8bbd907d83c7e23840af7500fc84a102155b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb971a2da5dd52bde981bb7ed32855858490f9ea8129ed2d6666214387655928
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9601C8A2E1AA8542FD14976AE88637D7311EF99794F401331EB9C86AEADF2CE1408604
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: c8b781f2ad71496b21cf3b68f31d524a7834cb59639121bfcf466c3d046bcaab
                                                                                                                                                                                                                                                      • Instruction ID: ec4e93b7e263f3d4cb946bc326894d2809f2eca2a1b2a46d948f57e108dee718
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8b781f2ad71496b21cf3b68f31d524a7834cb59639121bfcf466c3d046bcaab
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D01C862E1AB8541FA249725EC852697361FF89790F805231E69C47BB9DF2DD1408704
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43214D8 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4321584: GetModuleHandleW.KERNEL32(?,?,?,00007FF6A43214F3,?,?,?,00007FF6A43218AA), ref: 00007FF6A43215AB
                                                                                                                                                                                                                                                      • DloadProtectSection.DELAYIMP ref: 00007FF6A4321549
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DloadHandleModuleProtectSection
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2883838935-0
                                                                                                                                                                                                                                                      • Opcode ID: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                                                                                                                                                                                                                      • Instruction ID: 444914ca884151cd42978a8ee42443b40e9bfff3fb84ad9c6867171c3df4855d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB11CC61D0BE0785FF599B17ADC13702290AF24748F2404B4CA0DC62B1DFBCA4A5CE41
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4303E88 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430407C: FindFirstFileW.KERNEL32 ref: 00007FF6A43040CB
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430407C: FindFirstFileW.KERNEL32 ref: 00007FF6A430411E
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A430407C: GetLastError.KERNEL32 ref: 00007FF6A430416F
                                                                                                                                                                                                                                                      • FindClose.KERNEL32(?,?,00000000,00007FF6A4310791), ref: 00007FF6A4303EBD
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1464966427-0
                                                                                                                                                                                                                                                      • Opcode ID: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                                                                                                                                                                                                                                      • Instruction ID: 42dcfa4046c9e60636d2d5b2188bc0fe330f51b41ee56af08aecd55b8385449b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7F0467290EA8185EB549B76A98037D23609F8ABF4F1803B4DA3D473EBCE2DD584C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302090 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNEL32(?,?,00000001,00007FF6A4302036), ref: 00007FF6A43020B6
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2591292051-0
                                                                                                                                                                                                                                                      • Opcode ID: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                                                                                                                                                                                                                                      • Instruction ID: e5701fcc236502ade50d073846880361604684306c47331ad072e3b6acaa109c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47F0A422A0AA4299FF248B31E8C03792660EB54B79F588334DA3C811E8CF28D895C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432D8CC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                                                      • Opcode ID: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                                                                                                                                                                                                                                      • Instruction ID: 8c006c2b1e2a9108b466da16af8f219977f4a1311fd869c047d089dbb23a52fb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96F05810F0BB4785FF542B635C902B472905F64BA0F4806B0E92EC62E1EE2CE9808290
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43026FC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 749574446-0
                                                                                                                                                                                                                                                      • Opcode ID: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
                                                                                                                                                                                                                                                      • Instruction ID: 6ad9b27ce4bcd484fac5b54db859d0f21f01fb88c02a6dbd58d98bb5ddb29afa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CE0C216B21D5582FF24AB3BCC81A785360EF8CF84B485030CE0C87332CE2CD8858B04
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4316B00 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Window
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2353593579-0
                                                                                                                                                                                                                                                      • Opcode ID: 5d163f8c09bf8850b9e17accb7f82d435612e8a10046558611ff85a721e05d50
                                                                                                                                                                                                                                                      • Instruction ID: 89c45655d553e9782c7b2a251827e89df7cc42930fee816f21bbc64b8c7e3402
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5d163f8c09bf8850b9e17accb7f82d435612e8a10046558611ff85a721e05d50
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8E0B662719A4182EB648F6BF9C052962B0EB4CB94F189135EB4EC7768DE28D8A18740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4302450 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileType
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3081899298-0
                                                                                                                                                                                                                                                      • Opcode ID: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                                                                                                                                                                                                                                      • Instruction ID: f3d74ae7b95d972d966e1e951fb0c513dcfa586af9eac9e762d18094b9421598
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02D01216D0BC41D2DE1497369CD103C1350AF92735FB44730E67EC16F1CE5DA8969311
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43168BC Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DestroyWindow
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3375834691-0
                                                                                                                                                                                                                                                      • Opcode ID: 949b28124818714ca832feb4e37ad8129628b940bc778c5fc86e08d6e142992b
                                                                                                                                                                                                                                                      • Instruction ID: 15afa64c7506daa7095ba984b39c93da7d2d9d13fa0097378bd645369a2d1c8d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 949b28124818714ca832feb4e37ad8129628b940bc778c5fc86e08d6e142992b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98C01253A1794482EF555B93E8C57345220DF58B09F1C4424CA0D49151CF1884D5C321
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4307F84 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1611563598-0
                                                                                                                                                                                                                                                      • Opcode ID: 9c840309d013360c449daa427f1fc183ac61f7933642795e3a693a1311e8ce7d
                                                                                                                                                                                                                                                      • Instruction ID: 77653c734e3a0fbefa3ccbae875ac3af3e5fe28baf632d07922002c4c1ef77c1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c840309d013360c449daa427f1fc183ac61f7933642795e3a693a1311e8ce7d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2BC04C25F16902D1DB085B27CCC912813A5BB94B05B658135D50DC1170DE2DD5EA9755
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                                      Function 00007FF6A42FC300 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                                                                                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                                                      • API String ID: 2659423929-3508440684
                                                                                                                                                                                                                                                      • Opcode ID: 7188dada5198c67526d225528ba28c4dea82b03aeb3e872c79c91cb2039342dc
                                                                                                                                                                                                                                                      • Instruction ID: ed0d0ad14e7040ff0cbe6845d20430762def521314b5302e9b47b81b5758cd74
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7188dada5198c67526d225528ba28c4dea82b03aeb3e872c79c91cb2039342dc
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5462A062F0AA4285FB009B76DDC52BD2361BF857A4F904231DA2D97AE9DF38E595C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430F100 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                                                                                                                                                      • String ID: %ls$%s: %s
                                                                                                                                                                                                                                                      • API String ID: 2539828978-2259941744
                                                                                                                                                                                                                                                      • Opcode ID: cc1c4c34171a6bb235fdcb5b80e9a2c079f2ebd0ebebc9d1ba56227bb0478327
                                                                                                                                                                                                                                                      • Instruction ID: 9e4d3ff3d2c3fece043d7a554aff3d94fdb2e272d48d97f6e8bd887f6b863bfb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc1c4c34171a6bb235fdcb5b80e9a2c079f2ebd0ebebc9d1ba56227bb0478327
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54B2CB62E1AA8242EE10976ADCD41BE6361FFD5790F504336E69D83AFADF6CD540C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43324D0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                      • API String ID: 1759834784-2761157908
                                                                                                                                                                                                                                                      • Opcode ID: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
                                                                                                                                                                                                                                                      • Instruction ID: f09a71e7b4863b7013bcb04d1698870c79f13337978cacd205e8007ea3ed9db7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AFB20972E099828BE7258F66DC807FDB7A1FB44788F509135DA1A97BA4DF38F5048B40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4301A00 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                                                                                                                                                                                      • String ID: rtmp
                                                                                                                                                                                                                                                      • API String ID: 3587137053-870060881
                                                                                                                                                                                                                                                      • Opcode ID: c0327ea9e158b3686a151951578431f614de34c7b9210305ccce6b7cfbf9a6b1
                                                                                                                                                                                                                                                      • Instruction ID: 8ba90b7398cc062e184492e502bbb7840bbf0074d79cf2b2a55db63559b50512
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0327ea9e158b3686a151951578431f614de34c7b9210305ccce6b7cfbf9a6b1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21F1BE22B0AE8285EE10DB66DCC01BD6761EBD5784F901232EB4D87AB9DF3DE584C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4305B20 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1693479884-0
                                                                                                                                                                                                                                                      • Opcode ID: 98847fc0a0a84781d4ba02383bfb3443521a2b3df3f50960c1a44faee8b43a12
                                                                                                                                                                                                                                                      • Instruction ID: b837d7cf67a302e6485abe843466d3ce882351fd5595d96281b28e816262594a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98847fc0a0a84781d4ba02383bfb3443521a2b3df3f50960c1a44faee8b43a12
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9A1BE62F17E5285FE04CB7A9C885BD2371AB85BA4B544335DE6D97BE8DE3CE481C200
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43230F0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                                                                                                      • Opcode ID: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                                                                                                                                                                                                                                      • Instruction ID: 2ca87480b2e511a212f61683094bf4be2dfe98955fd5f293203b80a71903010e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B318C7660AF818AEB648F61EC903ED73A0FB94744F44403ADA4E87BA8DF78D548C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4327658 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                                                                      • Opcode ID: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                                                                                                                                                                                                                                      • Instruction ID: 4e3cb8628ae884214401840eebd23ab1d7a29e72f0280820e78c295a561a72cc
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27316F36609F8186EB648F26EC803AE73A4FB98794F540135EA9D83B68DF3CD555CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3668304517-0
                                                                                                                                                                                                                                                      • Opcode ID: e4f76085d4319caec31d13061860d09f6c594104b8d6fbbba7e66862e16aba8c
                                                                                                                                                                                                                                                      • Instruction ID: aca2801d324547720dd41074a377d922dbad0858e3e8b131a62c0e66084f1ced
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4f76085d4319caec31d13061860d09f6c594104b8d6fbbba7e66862e16aba8c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FAB1BF62A17A8686EA109B65DD802FE2361FF95794FC05231EA4C87BE9DF3DD950C300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432FA14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A432FA44
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A43278B4: GetCurrentProcess.KERNEL32(00007FF6A4330C4D), ref: 00007FF6A43278E1
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: *?$.
                                                                                                                                                                                                                                                      • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                                                      • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                                                                                                                                                      • Instruction ID: 0b4d9af5855df0ff09660d6406bd128a55601ac76f628b4074b52636ec67b694
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D51E162B16F9A81EB10DFA39C904BC77A4FB68BD8B448171DE1D97B99DE3CD0428740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4332000 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: memcpy_s
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1502251526-0
                                                                                                                                                                                                                                                      • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                                                      • Instruction ID: b09f8f2a12deb72e4ee55a41d6e2ebd145169af8f8b328d92217948de15a1627
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53D19032B19A8687DB64CF16E58476AB7A1FB88784F148134DB5E97B54CE3CF845CB00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FB6E8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1365068426-0
                                                                                                                                                                                                                                                      • Opcode ID: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
                                                                                                                                                                                                                                                      • Instruction ID: a31d609f7fdf9ec3ab33fdb56be55683fbc266ac8f0209e850c2ef04aaf632ec
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83012C7670EB4282E6148F22B9D027AA791BB89BC0F484034EA4D86B69CF3CE515C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432FC20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: .
                                                                                                                                                                                                                                                      • API String ID: 0-248832578
                                                                                                                                                                                                                                                      • Opcode ID: d32bfd7dd4cf680a9fa377edfecf70278dec73d3bfc6a9986e2ab5c97ce62f8e
                                                                                                                                                                                                                                                      • Instruction ID: f45f2decf11f3049afa97bc6eec2f5dccb5766e6b67386d8c939aa3a4b47aada
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d32bfd7dd4cf680a9fa377edfecf70278dec73d3bfc6a9986e2ab5c97ce62f8e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B31FB22B05E9145F7209B33EC457B97A91AB65FE4F148235DE6C87BE5CE3CD5018740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4335A78 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 15204871-0
                                                                                                                                                                                                                                                      • Opcode ID: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
                                                                                                                                                                                                                                                      • Instruction ID: 2b6486be421d374a26218f7dd24b4f3c69563ed814f277a653d09b59315944ca
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32B13B77616B858BEB15CF2AC88A368BBE0F744B48F158921DA5D877B4CF39E451C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431A24C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FormatInfoLocaleNumber
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2169056816-0
                                                                                                                                                                                                                                                      • Opcode ID: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                                                                                                                                                                                                                                      • Instruction ID: b03b4564273053267049bbff0e506c56eae7531b65727b963d22ab5f928775c7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3116D32A1AB8196E7618F22E8807E973A0FF88B85F844135DA4D83664DF3CE145C744
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4301224 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4302480: CreateFileW.KERNEL32 ref: 00007FF6A430255B
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4302480: GetLastError.KERNEL32 ref: 00007FF6A430256E
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4302480: CreateFileW.KERNEL32 ref: 00007FF6A43025CE
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4302480: GetLastError.KERNEL32 ref: 00007FF6A43025D7
                                                                                                                                                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A4301588
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4303940: MoveFileW.KERNEL32 ref: 00007FF6A430397D
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4303940: MoveFileW.KERNEL32 ref: 00007FF6A43039F4
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 34527147-0
                                                                                                                                                                                                                                                      • Opcode ID: cab60bff43e1465af6e0c93c52c050bd1821016a58fe0daae9f2f03c6ca1d864
                                                                                                                                                                                                                                                      • Instruction ID: 2b7e53862b75d0dd4c4fea145d68170782e49ada288d71ec5884b3e9cc5c6c73
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cab60bff43e1465af6e0c93c52c050bd1821016a58fe0daae9f2f03c6ca1d864
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5091AE22B2AA4682EF10DB63D8842AE6361FF94BC4F804136EF4D87BA5DE3DD555C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4318D74 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1061551593-0
                                                                                                                                                                                                                                                      • Opcode ID: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
                                                                                                                                                                                                                                                      • Instruction ID: 9665f619d27ac8e9a3296a6695c1b9c1ac74d02c7ebe17afcf4a488a61eaef7e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76810836B19E0586EB24CF6AE8806AD7771FB88B88F004522DE0D97B64DF7CE545C790
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4305164 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Version
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1889659487-0
                                                                                                                                                                                                                                                      • Opcode ID: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
                                                                                                                                                                                                                                                      • Instruction ID: ec8f17baf68dadc6c018e6d0cc76477a41fe53e464c20c964d64b67ae1155dbd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3901E97590AA428BF668CB12EC9177933A1FBD8355F500234D66D867B4DF3DE5018E00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4328B9C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                                                      • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                                                      • Opcode ID: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
                                                                                                                                                                                                                                                      • Instruction ID: ca49a4b75a15444c9365b7aa6cfcf983f0a28e0d7d98bc5023c6e39efcc031a4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E810422A1BE1246EAAC8A279CC067D7290EF61B44F1416B1DD09D76F5CF7DE84AC380
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4328920 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                                                      • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                                                      • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                                                                                                                                                      • Instruction ID: ff691cc91d6fdc627acdfd5ebc5b85ed0b20c3b401177bccdf6b01ce0a166e37
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E712921E1EE4256FB6C8A2B58C027E3390AF61754F1817B5CD09C76F9CEADE84687C1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430C928 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                                                      • API String ID: 0-4203073231
                                                                                                                                                                                                                                                      • Opcode ID: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
                                                                                                                                                                                                                                                      • Instruction ID: 3ebcbc60b2af70773a349c5398ac468156f7792c14ca26fb4a4c252fdb9e8502
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A5191377286908BD754CF26E840A9E73A5F388798F455125EF4A93B14CF39E945CF40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432C7B8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                                      • API String ID: 0-2766056989
                                                                                                                                                                                                                                                      • Opcode ID: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
                                                                                                                                                                                                                                                      • Instruction ID: da103d20740372528ea64533024e90e2c23994c2f49cdc8a854ca6e7dd59bee1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB41C062715E44C6EA04CF2BE8942A973A1A758FD4B4D9032DF0DCB764EE3CD186C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4330CA0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                                                      • Opcode ID: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
                                                                                                                                                                                                                                                      • Instruction ID: 3252f6ffd1f4b3184439a32e3ee68473d00e7eb728e1c2635004a7b7cc6216b9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 70B09228E17E02C6EA082B126CC229822E4BF48710F999039C14D81330DE6C20A58B01
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43138E4 Relevance: .9, Instructions: 931COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 30d91747c5fe70ba0b881356d9439b1aa91cc636c096cdbd714810fb5ffebd70
                                                                                                                                                                                                                                                      • Instruction ID: cd9e5c69e70125aa7b13aa0e4b4d99f9df75225dd7a2592a4c42b0d75adb4728
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30d91747c5fe70ba0b881356d9439b1aa91cc636c096cdbd714810fb5ffebd70
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E822773A0AAC186EB14CF2ED8842FC7B61E755B88F198176CA5E87795DE3CD445C320
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F76C0 Relevance: .9, Instructions: 893COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                                                                                                                                                      • Instruction ID: 18dbcb829bcb3c94a5d74c6d650a108c8b57c6d10fc58fe88ae7668b804df98e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C627E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4315370 Relevance: .9, Instructions: 891COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 8b758aaa641bc33135a7e6767f1d19e883c5cd82b9021611e369d96891392bef
                                                                                                                                                                                                                                                      • Instruction ID: 52d648ad175084bfb246df0d1cab9416838fb5640070aa8ab187e58cbbd665c4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b758aaa641bc33135a7e6767f1d19e883c5cd82b9021611e369d96891392bef
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E582E0B3A0BAC18ADB15CF2AD8846FC7BA1E755B48F198136CA4E87795CE3C9445C720
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430BB4C Relevance: .6, Instructions: 587COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
                                                                                                                                                                                                                                                      • Instruction ID: 56a1866996a3523a8da2bd36e52da7bcfffd8ca6c73e28e15db5077a48cf2388
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C422D373B246508BD728CF25DC9AA5E3766F798744B4B8228DF0ACB789DB38D505CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4314B18 Relevance: .6, Instructions: 578COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
                                                                                                                                                                                                                                                      • Instruction ID: f89ddc70f411546752915c1d835eeeef403733170e27db4b4b30980be12bc202
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05320373A069919BEB18CF29D990BBC37A1F764B08F158139DA4A87B94DF3CE850C750
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42F7288 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
                                                                                                                                                                                                                                                      • Instruction ID: eed7c380ee069f3d687cf966c0b88ea11a46af21d855ed4135f8f6e24751cb75
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2CC1ADB7B281908FE350CF7AE440A9D3BB1F39878CB519125DF59A3B09D639E645CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4312CD8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
                                                                                                                                                                                                                                                      • Instruction ID: 1ff38c651ccb9f7126d68a6585b7daf015db276b2a23dea516fee69cf64badc2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EA16673A0998246EF14CA2ADCC47FD6791EBA0744F158234DA4EA77A2DF3CE841C360
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430AED4 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
                                                                                                                                                                                                                                                      • Instruction ID: 540aec75ba095664a5162e411ec250bcf86e5e04d871857517945860d14ae905
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FCC12773A2A5E04DE302CBB6A4608FD3FF1E75E34DB4A4251EFA656B4EC5284201DF60
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FA2FC Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 190572456-0
                                                                                                                                                                                                                                                      • Opcode ID: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
                                                                                                                                                                                                                                                      • Instruction ID: a766f664aea54523acfdf36085ffa5d1e083ad3b888836135b640bbec99d931b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE914663B1998196EB11CF2AD8816FD2720FFA5788F441131EF4E87A69EE39E605C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FA664 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
                                                                                                                                                                                                                                                      • Instruction ID: 7aef659fb93524b30cb6fbd5cb9892fb82f7c4594c6ceee574bb31cb5f70ed28
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45812422B1AB5185EB10DB26DC806EE7765FF84B88F804031DE4D87BAADF79D505CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430B4F0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
                                                                                                                                                                                                                                                      • Instruction ID: d58c9fd695a5fa25c837abba14d1ea5f47558e17b0bfe2531cbbcae7d93ff329
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97616823F1A9D549EB01CFB689804FD7FB1EB99785B454132CE99A3A5ACE3CE105CB10
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4312150 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
                                                                                                                                                                                                                                                      • Instruction ID: 194b91445978426c01898eb4002bb9f64977a3b867254e52a8ca580ec060027c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B513373B1A4514BEB688F2AD8447BD3761FB94748F458530DA0987A98CF3DD942CB00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4312A30 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
                                                                                                                                                                                                                                                      • Instruction ID: ce584004d0597e2015c4672528a4e6617be9eb36edf747d3ceadbc58db888aec
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F431E5B2A09A825BDB18DE1BD99027E67D0F795784F10D139DB46C3B91DE3CE051C710
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4335860 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c301e110b5bfde31e548f7e504ad4167112c0d1c37f03b0bb4904797d209faef
                                                                                                                                                                                                                                                      • Instruction ID: fa3430054543e4220a0efe12d64c22cc8e77a0ef9bdc178b7430b5f256781d39
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c301e110b5bfde31e548f7e504ad4167112c0d1c37f03b0bb4904797d209faef
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDF018717196958FDBA48F2AA88262977D0FB48384F54843AD58DC3B14DA3C9451CF05
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43232D4 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
                                                                                                                                                                                                                                                      • Instruction ID: be49e1579fb6a17559dde25934b6acab1f9504f8b65107fbeddfc0747d93dbd8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA0026990ED43D0E6498B16ECE11747370FB70310B4050B1E00DC11B4DF7CB400C380
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FD7E0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                                                                                                                                                                                      • API String ID: 3668304517-727060406
                                                                                                                                                                                                                                                      • Opcode ID: df969facf24a54bd4a4c61cb6c3becc837b8ce778cf416acdee48feaf039601d
                                                                                                                                                                                                                                                      • Instruction ID: e75f0c9401bc6a2c5bec1d4beaa852058785495e4045882be87a4f53c61b7430
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df969facf24a54bd4a4c61cb6c3becc837b8ce778cf416acdee48feaf039601d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1441087AB16F0199EB048B65E8803E873B5FB48794F800636DA4D83B69EF79E165C344
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4322990 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                                                                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                      • API String ID: 2565136772-3242537097
                                                                                                                                                                                                                                                      • Opcode ID: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                                                                                                                                                                                                                                      • Instruction ID: 2fa0a1bcc158d0eebe884bd97e6c22d86f05ab05e9f6124efec19ce0600b2ee9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B211964E0BE0395FE289B23ECD527873A0AF58B90F448075C90E86AB1DEBCB455C341
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43069CC Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                                                                                                                                                      • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                                                                                                                                                                                      • API String ID: 4097890229-4048004291
                                                                                                                                                                                                                                                      • Opcode ID: bfc30a2d9763371fa05dc3689b9f97feb0316accffdd2e59997247909b7df4a9
                                                                                                                                                                                                                                                      • Instruction ID: 381d4e05ff1c29a1dd313155f3c079252f21b2ba927f7c2dd84aa120be99317d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfc30a2d9763371fa05dc3689b9f97feb0316accffdd2e59997247909b7df4a9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC12DD62B0AF4281EB10DB66E8801BD6371EB81B88F904235DB5D87AF9DF3DE549C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432E5D0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                                                      • Opcode ID: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                                                                                                                                                                                                                                      • Instruction ID: 22fdfb37dcaf7b962040310539cbf0b471c39c163316e7a62e5456628b6519b2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52418B72A0AF45C9E740CF26EC827A933A4EB18398F014576DE5C87B64DE3CD125C384
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431F310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Window$ButtonChecked$ClassLongNameObject
                                                                                                                                                                                                                                                      • String ID: STATIC
                                                                                                                                                                                                                                                      • API String ID: 343552168-1882779555
                                                                                                                                                                                                                                                      • Opcode ID: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                                                                                                                                                                                                                                      • Instruction ID: 71c7303516616f625e8add6fa77734b3f3d261d8f162f230bae6f3e8483bcd3f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D31AC25A0EE4286FEA0EB17AD957BE63A1AF89BC0F540430DD4D87B65DE3CE4028750
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430B970 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                                                                                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                                      • API String ID: 2915667086-2207617598
                                                                                                                                                                                                                                                      • Opcode ID: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                                                                                                                                                                                                                      • Instruction ID: a5281682e288371177a9d0b2c1e69e1db278b42a1862498bd44b7ee922cb65e9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD311464E0BE4385FA148B57AED427567A0AF89BA1F440235C95E837B8EF7CE941C341
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4318758 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: $
                                                                                                                                                                                                                                                      • API String ID: 3668304517-227171996
                                                                                                                                                                                                                                                      • Opcode ID: ca975920b8394febf7a97c5f64b6615816de279137d5fcde643edeebb6daf952
                                                                                                                                                                                                                                                      • Instruction ID: dfc024488f4204a569322cbe33e20fbd5d0130fcf540f079a64f12fafd721e3c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca975920b8394febf7a97c5f64b6615816de279137d5fcde643edeebb6daf952
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BDF1E362F16F4240EE089B6AD8C41BCA361AF54BA8F505631CA1D977E9DFBCE180C358
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431AE10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Item$ParentText
                                                                                                                                                                                                                                                      • String ID: LICENSEDLG
                                                                                                                                                                                                                                                      • API String ID: 1247523477-2177901306
                                                                                                                                                                                                                                                      • Opcode ID: 8fbd3e5f3b988b34d849b842d0cf571933aa9d703eb4a3d224b4f2ec3541504a
                                                                                                                                                                                                                                                      • Instruction ID: a96067ec294b4dcc35cc345c30a2a4cacbb7bb1aa5c513f4cb99cd08f496267f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fbd3e5f3b988b34d849b842d0cf571933aa9d703eb4a3d224b4f2ec3541504a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08419D25A0AE4286FF54AB1BECD577923A1AF85F82F040035D90E83BB5CF7DA546C311
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432576C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                                                                      • API String ID: 2940173790-393685449
                                                                                                                                                                                                                                                      • Opcode ID: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                                                                                                                                                                                                                                      • Instruction ID: 84d38056588b44e42cada134e11ac55fcd6076c89a5164212e03523c17b864a1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBE1C17290AB828AE7109F26D8C03BD37A0FB64758F140175DE9D977A6DF38E681C780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4304EF8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AllocClearStringVariant
                                                                                                                                                                                                                                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                                                                                                                      • API String ID: 1959693985-3505469590
                                                                                                                                                                                                                                                      • Opcode ID: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                                                                                                                                                                                                                                      • Instruction ID: 5d9de4f82784d002d1b4cf1eca66ecbaddf9907c4af34db9c3833cfe68b47165
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA710936A16E0585EB14CF26EC806AD77B4FB98B98B545232EA4E83B74CF7CE544C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432726C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6A4327473,?,?,?,00007FF6A43251DE,?,?,?,00007FF6A4325199), ref: 00007FF6A43272F1
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,00007FF6A4327473,?,?,?,00007FF6A43251DE,?,?,?,00007FF6A4325199), ref: 00007FF6A43272FF
                                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6A4327473,?,?,?,00007FF6A43251DE,?,?,?,00007FF6A4325199), ref: 00007FF6A4327329
                                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF6A4327473,?,?,?,00007FF6A43251DE,?,?,?,00007FF6A4325199), ref: 00007FF6A432736F
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,00007FF6A4327473,?,?,?,00007FF6A43251DE,?,?,?,00007FF6A4325199), ref: 00007FF6A432737B
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                      • Opcode ID: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                                                                                                                                                                                                                                      • Instruction ID: 585d2f7d13ea78daadbe7fd1a7014ec1e299635bb378e6b256943b5c8afc2ba8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1331E361A1BE4291EE159B03AC806BA73D4FF58BA0F594534DE1D8B3A4DF3CF4408390
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4321584 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(?,?,?,00007FF6A43214F3,?,?,?,00007FF6A43218AA), ref: 00007FF6A43215AB
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF6A43214F3,?,?,?,00007FF6A43218AA), ref: 00007FF6A43215C8
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF6A43214F3,?,?,?,00007FF6A43218AA), ref: 00007FF6A43215E4
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                                                                      • API String ID: 667068680-1718035505
                                                                                                                                                                                                                                                      • Opcode ID: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                                                                                                                                                                                                                                      • Instruction ID: fbd6fd24fb8bbd50792ee5690590cd02de23e90379b1ad6f709c6b450ddf7247
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B111E20E0BF0385FE558B03AEC027562916F18B94F585575CA5E86374EEBCB9948680
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430ECA4 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                        • Part of subcall function 00007FF6A4305164: GetVersionExW.KERNEL32 ref: 00007FF6A4305195
                                                                                                                                                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED0C
                                                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED18
                                                                                                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED28
                                                                                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED36
                                                                                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED44
                                                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A42F5ABC), ref: 00007FF6A430ED85
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                                                                                                      • Opcode ID: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                                                                                                                                                                                                                                      • Instruction ID: acc61dd142c4f35fd8e4e77e5077efc7eca241a4ed344b23a2800090ba6d0225
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12517FB2B11A518FEB54CF65E8811AC77B1FB48788B60413ADE0D97B68DF38E551C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430EF90 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                                                                                                      • Opcode ID: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                                                                                                                                                                                                                                      • Instruction ID: 67605d168da186ed143bcc859f934b51625e07096cc7074dbe040dde1ffe24e4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE313966B11A51CEFB04CFB6E8802AC7770FB08758B54502AEE0DD7A68EF78D595C310
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43078D8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: .rar$exe$rar$sfx
                                                                                                                                                                                                                                                      • API String ID: 3668304517-630704357
                                                                                                                                                                                                                                                      • Opcode ID: 396299a5b1ccd598accc38a78ad002547d98c5a043810e6323e0cb500f167d8a
                                                                                                                                                                                                                                                      • Instruction ID: ef51f04292354a3fdd690cd1b64b3c4e71ced420e008909fd1dc6f227be425d8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 396299a5b1ccd598accc38a78ad002547d98c5a043810e6323e0cb500f167d8a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CDA19C66A1AE4640EA049B2ADCD53BC23A1BF80BA8F505335DE1D876F9DF3CE595C340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4325C68 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                                                                      • API String ID: 2889003569-2084237596
                                                                                                                                                                                                                                                      • Opcode ID: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                                                                                                                                                                                                                                      • Instruction ID: b8ac78c22265d894e53347b9bb6567db367c88745eeb2dc70f264c96675b29a1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D91A473A0AB819AE750CF66D8803AD77B0FB14788F144125EE8D57765DF38D195C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4324F00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                                                                                                                                                      • Opcode ID: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                                                                                                                                                                                                                                      • Instruction ID: cfbfd9995dfcc9ebd4f2b525a4654aa2ef6014c4e5cef4914e975ba6ccee0e77
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC51B032A1BA0286EB14CF13EC84A393795FB60B98F50C074DA1A87758DF79EA41C784
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FCEF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                                                                                                                                                                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                                                                                                                      • API String ID: 2102711378-639343689
                                                                                                                                                                                                                                                      • Opcode ID: 2422b4c07861c816dcb6e088245771ec7e30f8252f36e9de8bdb4ac705605003
                                                                                                                                                                                                                                                      • Instruction ID: 438ac931c724686aa31d67c861f21d43cb00d53ae613a192e39cb1aecf38e9aa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2422b4c07861c816dcb6e088245771ec7e30f8252f36e9de8bdb4ac705605003
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A351CF62F1BB4285FB00DB66EDC16B923B0AF947A4F440135DE5E936BADF3DA495C200
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431FC8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID: sfxcmd$sfxpar
                                                                                                                                                                                                                                                      • API String ID: 3540648995-3493335439
                                                                                                                                                                                                                                                      • Opcode ID: de9741161c31a08bbe9fff160a80b1df0e4e4f2ed9c3bb4d40033563ae2b19ea
                                                                                                                                                                                                                                                      • Instruction ID: 2f5545e60d830fd60e0a8cd0a95ec5a8f0534954b7e7398b23a0a8dbde6dfe85
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de9741161c31a08bbe9fff160a80b1df0e4e4f2ed9c3bb4d40033563ae2b19ea
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 28316A62A15E0684EF04CB6AECC42BC7371FB48B98F140131DE1D97AB9CE28E181C254
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A431FE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                                                                                                      • API String ID: 0-56093855
                                                                                                                                                                                                                                                      • Opcode ID: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                                                                                                                                                                                                                                      • Instruction ID: 528b327b59948db855a322a30a9426f254c43d17c8e81145816c8820521973c7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C421E065A0BE8784FE108B1BEDC41B863A0AF49B88F540436D98DC72B4DF7CE195C361
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432BF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                      • Opcode ID: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                                                                                                                                                                                                                                      • Instruction ID: bd6428697fb0fa1323f9274e839d14cf687a93df67944e93a5fd28490dd29dfd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35F04966A1BE4291EE488B12FCC4379A3A0FF88B90F481035E94F86674DE7CE5848B40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4334540 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                                      • Opcode ID: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                                                                                                                                                                                                                                      • Instruction ID: f551c20cbc47c82142b9abb57394f701495fdee319538663e79bbd9eb6c03941
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD81AE22E1AE52A9F7109B269CC07BDA6A0BB65B98F204135DD0E976B5CF3CF445CB10
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4303AB8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2398171386-0
                                                                                                                                                                                                                                                      • Opcode ID: a56bd3e4cf788a7d7e6f33a138c27692c5a67c16597c4aca8c4dd2437fa641d8
                                                                                                                                                                                                                                                      • Instruction ID: 0eaab22ab1a02c5050c0247101d7a6efdbd4da367fafb370bef2a970ffcf2b31
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a56bd3e4cf788a7d7e6f33a138c27692c5a67c16597c4aca8c4dd2437fa641d8
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE51C222B0AE0259FB54CB76EC803BD63B1AB887A8F004775DE1DC6BE4DE3892558340
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4333EB4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3659116390-0
                                                                                                                                                                                                                                                      • Opcode ID: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                                                                                                                                                                                                                                      • Instruction ID: c0a1384e0e47ca72bd1b6680fca6b4df34e0c2f065f8d1ae796d2eaf10c9ddc4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D851B032B15A5199E710CB76E8843ACBBB0FB54B98F148135DE4E97BA9DF38E145C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4321D80 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 262959230-0
                                                                                                                                                                                                                                                      • Opcode ID: 232b551fadca1ae103d473e2eb18b0591082179b1a5a78a8c3b0890ea4ad4e1c
                                                                                                                                                                                                                                                      • Instruction ID: d636a9979ceade4071850713ba26ffad369354fb858ec1a2ac833704cecaa452
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 232b551fadca1ae103d473e2eb18b0591082179b1a5a78a8c3b0890ea4ad4e1c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F41A422A0AE4685EF549F239D803B97290FF54BA4F144674EA6DC77E5DF7CE1818380
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432F394 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 190572456-0
                                                                                                                                                                                                                                                      • Opcode ID: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                                                                                                                                                                                                                                      • Instruction ID: b61ef75ae09c9d929aec2483cafe7508f935555dd5f3b463441fc5abea1f0d9d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F411821B0BE4281FA15DB17AC806B97395BF64BD0F294535DD1ECB768EE7CE4409780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4335658 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                                                                      • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                                                      • Instruction ID: b35d568b77e3739b33a7af35c2313a604ade95e345154d021d79a31bd64d8d59
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC119176E5FE0305F654152AEDCE3B991416F543F0F595634EA6EC65F6CE2CB4804201
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43261DC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __except_validate_context_recordabort
                                                                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                                                                      • API String ID: 746414643-3733052814
                                                                                                                                                                                                                                                      • Opcode ID: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                                                                                                                                                                                                                                      • Instruction ID: d8bf441bb242cda92c6a1e9e30dc2ffb27bb97b95eab83dad25c2572d4a47915
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8471A17250AE9186DB648F27989077D7BA0EF60F89F148175DE8C87AA9CF3CD491C780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4328074 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: $*
                                                                                                                                                                                                                                                      • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                                                      • Opcode ID: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                                                                                                                                                                                                                                      • Instruction ID: 748f09025642527306df88f6b275ff3fa5a3e89d385544486f8e64930166edb7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E51577290EF468AE76C8E2698C537C37A0FB25B08F141375C65A912F9CFBCE481C685
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43316D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$StringType
                                                                                                                                                                                                                                                      • String ID: $%s
                                                                                                                                                                                                                                                      • API String ID: 3586891840-3791308623
                                                                                                                                                                                                                                                      • Opcode ID: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                                                                                                                                                                                                                                      • Instruction ID: 8ea80feb9bccc338372b21d02d8e108c3907d1f9d69d8a055d557b8d8b367843
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30418022B16F818AEF648F66DC807A9A291FB54BA8F484635DF1D877E4DF3CE4458300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4326620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                                      • API String ID: 2466640111-1018135373
                                                                                                                                                                                                                                                      • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                                                                                                                                                      • Instruction ID: bbc34e05b0407340fa326264c9824652808d0c392288b17cf97a14fffc97ec59
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A951407661AB4187DA20AB17E88027E77E4FBA8B94F101575DB8D87B65CF38E450CB80
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43342E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                                                      • Opcode ID: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                                                                                                                                                                                                                                      • Instruction ID: 55c859d62927edb03a60fdff97a31b504727839d7ebb7eb361d0ae95dab6c6aa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A41A22261AA8196E7208F26EC843BAB7A0FB98794F554031EE4DC77A8DF7CE451C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4319030 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ObjectRelease
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1429681911-3916222277
                                                                                                                                                                                                                                                      • Opcode ID: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                                                                                                                                                                                                                                      • Instruction ID: a58344bf3fd47aa99e4ccb5c963591c51e7a88936b61441bd32a85d0d15064b8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A314C35609B528AEB449F13BC5962AB7A0FB89FD1F404435ED4E83B64CE3CE449CB00
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430E7EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6A43130FF,?,?,00001000,00007FF6A42FE52D), ref: 00007FF6A430E837
                                                                                                                                                                                                                                                      • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6A43130FF,?,?,00001000,00007FF6A42FE52D), ref: 00007FF6A430E847
                                                                                                                                                                                                                                                      • CreateEventW.KERNEL32(?,?,?,00007FF6A43130FF,?,?,00001000,00007FF6A42FE52D), ref: 00007FF6A430E860
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                                                      • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                                                      • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                                                      • Opcode ID: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                                                                                                                                                                                                                                      • Instruction ID: 1c6b388aef71fceeececc0a01c77f32fca3c16b7da51e3850f452a86709f785b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5921A832F17A4186F7548F26E8957A932A1EFD8B0DF188134CA0D8A665CF7EA855C780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43176F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ClassCursorLoadRegister
                                                                                                                                                                                                                                                      • String ID: P$RarHtmlClassName
                                                                                                                                                                                                                                                      • API String ID: 1693014935-552670043
                                                                                                                                                                                                                                                      • Opcode ID: 819c521963ca04db1f89b363e84b8a2c551b1636f2cbc12a2ef7c6bed42e5028
                                                                                                                                                                                                                                                      • Instruction ID: 2650a1967b331ef0d15bebf885dc93b3595a43ed3d7fe0e6766f5f5349ef20d8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 819c521963ca04db1f89b363e84b8a2c551b1636f2cbc12a2ef7c6bed42e5028
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35012332E04B41CEF7008BA1E8853AD73B8F748758F244239DE996AA68DF789155CB80
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4318560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CapsDeviceRelease
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 127614599-3916222277
                                                                                                                                                                                                                                                      • Opcode ID: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                                                                                                                                                                                                                                      • Instruction ID: 3b51c7c56d8defd0a4a717aa17374cb9df80619cf1401a534e8581ecdb8f3fd0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83E0CD20B09A4186FB486777B9CA03A12519F4CBD0F154035D91F83B68CD3CC4C48300
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A42FD1B8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1137671866-0
                                                                                                                                                                                                                                                      • Opcode ID: b0f5ee80bf70eaad8d6861e61d6bf4322d5bfe9f8469c9565fc8fc66d1aa4aa9
                                                                                                                                                                                                                                                      • Instruction ID: 2402d817f54760a39dff9b4aad8253f243c2cf137408cda1e828791af72e0aa4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0f5ee80bf70eaad8d6861e61d6bf4322d5bfe9f8469c9565fc8fc66d1aa4aa9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0A1C362A1BB8282EA10DB65EDC02AD6371FF85784F804231EA4D87AF9DF3DE554C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43104C8 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                                                                                                      • Opcode ID: 2fc7eb535c50cd6af4d7cf13e5e1b314b2a77eba713ff83555a04c1b224355c5
                                                                                                                                                                                                                                                      • Instruction ID: 0f465b565f4512f0df95a75d387ecb3dea7111ac925219194ff9c6aa3e257ee0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2fc7eb535c50cd6af4d7cf13e5e1b314b2a77eba713ff83555a04c1b224355c5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E251B262B56E4285FB009B6ADC852FC2361EB85B98F804231DA5C97BFADF6CE540C350
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4319D10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1077098981-0
                                                                                                                                                                                                                                                      • Opcode ID: 636cda63db5f50613c70694827d2b71a51838dc95d214f096266c0c3ed1ab69a
                                                                                                                                                                                                                                                      • Instruction ID: 77d07a11d6da07446b88d811f5467830ff5fafa2445cdb9848beaea8f4e6859d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 636cda63db5f50613c70694827d2b71a51838dc95d214f096266c0c3ed1ab69a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 37517032619F428AEB508F22EC847AE73A4FF84B84F501035EA4E97A64DF3CD504CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432DADC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 4141327611-0
                                                                                                                                                                                                                                                      • Opcode ID: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                                                                                                                                                                                                                                      • Instruction ID: f59ba01fa03807dcaace5a2c7ad4b85afb9810823594546829a879ba7d51f320
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F418671A0EF5246F7A59B1298D0379B691EFA0BA0F1441B0DA8DC7AF5DF3CD8418780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4303940 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3823481717-0
                                                                                                                                                                                                                                                      • Opcode ID: 930a69d4a68418f54a984dac1d66c28d9725d16089e00c4b4ab1159678b5317d
                                                                                                                                                                                                                                                      • Instruction ID: 85b6540f60d27797598797b977a68b528bcba50de467fffbbfa759149fa1c741
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 930a69d4a68418f54a984dac1d66c28d9725d16089e00c4b4ab1159678b5317d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2141AE62F16F5284FB00CB76EC852AC2371BB84BA8B105235EE5DA7AA9DF78D145C240
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432D3C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLast$abort
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1447195878-0
                                                                                                                                                                                                                                                      • Opcode ID: 5f1b62bbcb22349c2378c7adbb34194f0f5cbd313a101d62c2cde383081bca1c
                                                                                                                                                                                                                                                      • Instruction ID: ab4831162ec83d9da59a37ccf07369e221d21f663f63c501cafa7d3bdf74066a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f1b62bbcb22349c2378c7adbb34194f0f5cbd313a101d62c2cde383081bca1c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A014C14B0BF4242FA586727AED527C71A15F68790F2404B8D91EC67FAED2CB8414690
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4318510 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1035833867-0
                                                                                                                                                                                                                                                      • Opcode ID: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                                                                                                                                                                                                                                      • Instruction ID: bae735fd32d0a5587dc7a4b16b290db454cc81c95af18ed9efb582b792514781
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE0ED60E0BE0286FF586B776CDA1352160AF48742F084479C81F86774DE3CA085C611
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432E174 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                                                      • Opcode ID: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                                                                                                                                                                                                                                      • Instruction ID: 53dc03e5af8d387eec6be2882e9c4954e62326c40fb0edc9d66a9e55b992a2ad
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD513B62B19BC186E7648B369C8236D7B95EB61B90F088271C79DC7BE5CF2CE044C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43093C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                                                                                                                                                      • String ID: SIZE
                                                                                                                                                                                                                                                      • API String ID: 449872665-3243624926
                                                                                                                                                                                                                                                      • Opcode ID: 67c97aca8507826492130fd72c7ecce989bee0afc1e7b5207916a55734ded634
                                                                                                                                                                                                                                                      • Instruction ID: e2ec4c75d04c62b4cb0d5fb9dc212e7945a906a1acf79613229113601c93b448
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67c97aca8507826492130fd72c7ecce989bee0afc1e7b5207916a55734ded634
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A41B762A2AB4295EE10DB5AEC813BD7360EFD5790F504331EB9D866E5EE3CD941C700
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432C240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      • C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe, xrefs: 00007FF6A432C279
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.19085.17583.exe
                                                                                                                                                                                                                                                      • API String ID: 3307058713-1739219830
                                                                                                                                                                                                                                                      • Opcode ID: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                                                                                                                                                                                                                                      • Instruction ID: 17b838875c764514635e1332374a8762ddc1275e3c3f590860c6a397f1cd16e5
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE418B32A0AF528AEB14DF23AC800BD77A4EF54B94B554075EA4E87B69DF3DE441C780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A43095F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide_snwprintf
                                                                                                                                                                                                                                                      • String ID: $%s$@%s
                                                                                                                                                                                                                                                      • API String ID: 2650857296-834177443
                                                                                                                                                                                                                                                      • Opcode ID: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                                                                                                                                                                                                                                      • Instruction ID: cfece9f81831a417d559406a212f53e311d3778015d92cd222dbae536e886d7d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F31A772B1AE4A86EA10CF67E8806E963A4FF94B94F401132EE0E57775DE3DE905C740
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4320184 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DialogParamVisibleWindow
                                                                                                                                                                                                                                                      • String ID: GETPASSWORD1
                                                                                                                                                                                                                                                      • API String ID: 3157717868-3292211884
                                                                                                                                                                                                                                                      • Opcode ID: 29e7a0a20e084d918d6e48d0fcd0daafd2a2c908b53aa11954d929019763ebf4
                                                                                                                                                                                                                                                      • Instruction ID: d0781fd439600d787ca1f6a4414364b3847e2a9740b4336222cd52caceab7f9a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29e7a0a20e084d918d6e48d0fcd0daafd2a2c908b53aa11954d929019763ebf4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B031502590FFC289EA008F53ED811B97BA0AF55B84F480076DA9D977B6DF2CE444C791
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A432EA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FileHandleType
                                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                                      • Opcode ID: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                                                                                                                                                                                                                                      • Instruction ID: 041fbddf5322c5e36acfb9d67893c20b750725aec4050cafb9956e89c83385d3
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9421B422A0DE8240EBA48B2A9CD21393655EF65774F280375D66F877E4CE79E881C381
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A4323FF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6A4321CBE), ref: 00007FF6A432403C
                                                                                                                                                                                                                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6A4321CBE), ref: 00007FF6A4324082
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                      • Opcode ID: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                                                                                                                                                                                                                                      • Instruction ID: af7a1199e7bee16e3daeddae312b292670207d10aa541889a5d8a8545fb78a4d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC114276609F4182EB148F16E880259B7E1FB98B94F288171DF8D47765DF3CD591CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430E9D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A430E8DB,?,?,?,00007FF6A43045FA,?,?,?), ref: 00007FF6A430E9DF
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A430E8DB,?,?,?,00007FF6A43045FA,?,?,?), ref: 00007FF6A430E9EA
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLastObjectSingleWait
                                                                                                                                                                                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                                                      • API String ID: 1211598281-2248577382
                                                                                                                                                                                                                                                      • Opcode ID: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                                                                                                                                                                                                                                      • Instruction ID: c5c6d6b3aac87c3473563c40ada148a7a59fa9e47c17350767b58968b1ebf836
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FEE01A65E1BC0292F600A726ACC656822607FA53B0FA04330D13EC15F59F2DA945C301
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00007FF6A430A3FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.3879698711.00007FF6A42F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A42F0000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879577225.00007FF6A42F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3879863121.00007FF6A4338000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A434B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880210795.00007FF6A4354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.3880399760.00007FF6A435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6a42f0000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: FindHandleModuleResource
                                                                                                                                                                                                                                                      • String ID: RTL
                                                                                                                                                                                                                                                      • API String ID: 3537982541-834975271
                                                                                                                                                                                                                                                      • Opcode ID: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                                                                                                                                                                                                                                      • Instruction ID: 09f924bca5e14b5724a4ef369bfa4c9b9003c10858b1fec8079a7a192ca916ea
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2D05E95F0AE0282FF1D5B73ACC933452905F18B41F885038C81E863B0EEACE484C750
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                                      Execution Coverage:11.2%
                                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                      Signature Coverage:1.1%
                                                                                                                                                                                                                                                      Total number of Nodes:795
                                                                                                                                                                                                                                                      Total number of Limit Nodes:14
                                                                                                                                                                                                                                                      execution_graph 4471 446de4 4472 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4471->4472 4473 446df5 4472->4473 4078 443c02 4104 44395c 4078->4104 4080 443c12 4081 443c93 4080->4081 4082 443c6f 4080->4082 4085 443d0b LoadLibraryExA 4081->4085 4086 443d6c 4081->4086 4089 443d7e 4081->4089 4093 443e3a 4081->4093 4113 443ba0 4082->4113 4085->4086 4087 443d1e GetLastError 4085->4087 4088 443d77 FreeLibrary 4086->4088 4086->4089 4090 443d47 4087->4090 4098 443d31 4087->4098 4088->4089 4091 443ddc GetProcAddress 4089->4091 4089->4093 4092 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4090->4092 4091->4093 4094 443dec GetLastError 4091->4094 4095 443d52 RaiseException 4092->4095 4097 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4093->4097 4096 443dff 4094->4096 4099 443e68 4095->4099 4096->4093 4100 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4096->4100 4097->4099 4098->4086 4098->4090 4101 443e20 RaiseException 4100->4101 4102 44395c ___delayLoadHelper2@8 6 API calls 4101->4102 4103 443e37 4102->4103 4103->4093 4105 443992 4104->4105 4106 443968 4104->4106 4105->4080 4121 443a09 4106->4121 4109 44398d 4129 443993 4109->4129 4114 443bd4 RaiseException 4113->4114 4115 443bb2 4113->4115 4114->4099 4116 443a09 DloadReleaseSectionWriteAccess 3 API calls 4115->4116 4117 443bb7 4116->4117 4118 443bcf 4117->4118 4119 443b32 DloadProtectSection 3 API calls 4117->4119 4139 443bd6 4118->4139 4119->4118 4122 443993 DloadReleaseSectionWriteAccess 3 API calls 4121->4122 4123 44396d 4122->4123 4123->4109 4124 443b32 4123->4124 4126 443b47 DloadProtectSection 4124->4126 4125 443b4d 4125->4109 4126->4125 4127 443b82 VirtualProtect 4126->4127 4135 443a48 VirtualQuery 4126->4135 4127->4125 4130 4439a1 4129->4130 4132 4439b6 4129->4132 4131 4439a5 GetModuleHandleW 4130->4131 4130->4132 4131->4132 4133 4439ba GetProcAddress 4131->4133 4132->4080 4133->4132 4134 4439ca GetProcAddress 4133->4134 4134->4132 4136 443a63 4135->4136 4137 443aa5 4136->4137 4138 443a6e GetSystemInfo 4136->4138 4137->4127 4138->4137 4140 443993 DloadReleaseSectionWriteAccess 3 API calls 4139->4140 4141 443bdb 4140->4141 4141->4114 4142 1810d3 4143 17f32d 8 API calls 4142->4143 4144 18110e RevertToSelf 4143->4144 4145 181118 4144->4145 4146 181144 4144->4146 4160 182186 FlsSetValue 4145->4160 4148 b834c 49 API calls 4146->4148 4154 18113f 4148->4154 4150 182186 52 API calls 4152 181160 4150->4152 4155 181190 4152->4155 4156 181165 GetCurrentThread GetThreadIOPendingFlag 4152->4156 4158 18117f Sleep 4152->4158 4153 181128 4153->4154 4166 180b2e FlsGetValue 4153->4166 4154->4150 4157 17f381 52 API calls 4155->4157 4156->4152 4156->4155 4159 181198 4157->4159 4158->4152 4161 1821a0 4160->4161 4165 181124 4160->4165 4207 1821bf FlsGetValue 4161->4207 4164 b834c 49 API calls 4164->4165 4165->4146 4165->4153 4167 180b9b 4166->4167 4168 180b61 GetCurrentThreadId 4166->4168 4170 b834c 49 API calls 4167->4170 4202 180bb0 4167->4202 4168->4167 4169 180b6f FlsSetValue 4168->4169 4169->4167 4171 180b84 4169->4171 4170->4202 4173 1821bf 52 API calls 4171->4173 4172 180c8d GetQueuedCompletionStatus 4176 180cc0 GetLastError 4172->4176 4172->4202 4175 180b8b 4173->4175 4174 180bec GetCurrentThread GetThreadIOPendingFlag 4174->4202 4175->4167 4178 b834c 49 API calls 4175->4178 4176->4202 4177 180c23 FlsGetValue 4179 180c35 GetCurrentThreadId 4177->4179 4177->4202 4178->4167 4181 180c43 FlsSetValue 4179->4181 4179->4202 4180 180d9d 4183 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4180->4183 4181->4202 4186 180dac 4183->4186 4184 c4d25 EventWriteTransfer 4184->4202 4185 b834c 49 API calls 4185->4202 4186->4153 4187 180d66 GetCurrentThread GetThreadIOPendingFlag 4187->4202 4189 b834c 49 API calls 4189->4187 4190 180ec3 FlsGetValue 4192 180edb GetCurrentThreadId 4190->4192 4190->4202 4191 1810ab 4193 1810be 4191->4193 4198 b834c 49 API calls 4191->4198 4195 180ee9 FlsSetValue 4192->4195 4192->4202 4196 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4193->4196 4194 180db6 FlsGetValue 4197 180dc8 GetCurrentThreadId 4194->4197 4194->4202 4195->4202 4199 1810cd 4196->4199 4200 180dd6 FlsSetValue 4197->4200 4197->4202 4198->4193 4199->4153 4200->4202 4202->4172 4202->4174 4202->4177 4202->4180 4202->4184 4202->4185 4202->4187 4202->4189 4202->4191 4202->4194 4203 1821bf 52 API calls 4202->4203 4204 181014 FlsGetValue 4202->4204 4214 cd0bd 4202->4214 4224 180428 4202->4224 4249 18067f 4202->4249 4203->4202 4204->4202 4205 18102c GetCurrentThreadId 4204->4205 4205->4202 4206 18103a FlsSetValue 4205->4206 4206->4202 4208 1821d2 4207->4208 4212 1821a7 4207->4212 4213 cd344 GetCurrentThreadId 4208->4213 4210 1821d7 4211 182186 51 API calls 4210->4211 4210->4212 4211->4212 4212->4164 4212->4165 4213->4210 4215 cd0d0 GetCurrentThreadId 4214->4215 4217 cd0dd 4214->4217 4216 cd0e2 EnterCriticalSection 4215->4216 4215->4217 4216->4217 4218 cd12b 4217->4218 4219 cd117 LeaveCriticalSection 4217->4219 4220 cd12f 4218->4220 4221 cd14c QueryDepthSList 4218->4221 4222 cd170 InterlockedPushEntrySList 4218->4222 4219->4218 4220->4202 4221->4222 4223 cd15c 4221->4223 4222->4202 4223->4202 4225 cca1e 2 API calls 4224->4225 4228 180479 4225->4228 4226 cca4d LeaveCriticalSection 4227 1804ad 4226->4227 4229 180649 4227->4229 4231 1804b8 4227->4231 4228->4226 4230 b834c 49 API calls 4229->4230 4237 18055b 4229->4237 4230->4237 4232 17f48a 52 API calls 4231->4232 4231->4237 4233 180588 4232->4233 4234 b834c 49 API calls 4233->4234 4236 1805fb 4233->4236 4235 180596 4234->4235 4238 1805af PostQueuedCompletionStatus 4235->4238 4264 182477 4235->4264 4236->4237 4243 17f5c3 49 API calls 4236->4243 4237->4190 4238->4236 4240 1805cd 4238->4240 4241 1805e6 4240->4241 4244 182477 6 API calls 4240->4244 4242 b834c 49 API calls 4241->4242 4245 1805f0 4242->4245 4246 18062f 4243->4246 4244->4241 4247 17f48a 52 API calls 4245->4247 4269 18241a 4246->4269 4247->4236 4250 1806d4 4249->4250 4251 18084e GetCurrentThreadId 4250->4251 4262 1808dd 4250->4262 4252 180874 4251->4252 4253 1808c6 PostQueuedCompletionStatus 4251->4253 4254 c4d25 EventWriteTransfer 4252->4254 4256 1808f6 4253->4256 4253->4262 4254->4253 4255 1809e9 4258 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4255->4258 4257 180951 4256->4257 4260 c4d25 EventWriteTransfer 4256->4260 4259 b834c 49 API calls 4257->4259 4261 180a1e 4258->4261 4259->4262 4260->4257 4261->4202 4262->4255 4263 b834c 49 API calls 4262->4263 4263->4255 4265 c4d25 EventWriteTransfer 4264->4265 4266 1824bc 4265->4266 4267 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4266->4267 4268 1824c7 4267->4268 4268->4238 4270 182440 4269->4270 4271 182421 4269->4271 4270->4237 4271->4270 4272 17f3c2 51 API calls 4271->4272 4272->4270 4486 40920e 4487 409144 4486->4487 4487->4486 4489 443c02 4487->4489 4490 44395c ___delayLoadHelper2@8 6 API calls 4489->4490 4491 443c12 4490->4491 4492 443c93 4491->4492 4493 443c6f 4491->4493 4496 443d0b LoadLibraryExA 4492->4496 4497 443d6c 4492->4497 4500 443d7e 4492->4500 4504 443e3a 4492->4504 4494 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4493->4494 4495 443c7a RaiseException 4494->4495 4510 443e68 4495->4510 4496->4497 4498 443d1e GetLastError 4496->4498 4499 443d77 FreeLibrary 4497->4499 4497->4500 4501 443d47 4498->4501 4509 443d31 4498->4509 4499->4500 4502 443ddc GetProcAddress 4500->4502 4500->4504 4503 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4501->4503 4502->4504 4505 443dec GetLastError 4502->4505 4506 443d52 RaiseException 4503->4506 4508 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4504->4508 4507 443dff 4505->4507 4506->4510 4507->4504 4511 443ba0 DloadReleaseSectionWriteAccess 6 API calls 4507->4511 4508->4510 4509->4497 4509->4501 4510->4487 4512 443e20 RaiseException 4511->4512 4513 44395c ___delayLoadHelper2@8 6 API calls 4512->4513 4514 443e37 4513->4514 4514->4504 3569 1850cb 3570 1850eb 3569->3570 3571 185478 3570->3571 3608 17f32d 3570->3608 3573 185157 RevertToSelf 3574 18516d 3573->3574 3605 185177 3573->3605 3618 b834c 3574->3618 3577 18543a 3578 185454 3577->3578 3596 185763 3577->3596 3659 18577a 3578->3659 3581 18546f 3663 17f381 3581->3663 3584 185394 GetTickCount64 3584->3605 3585 185779 3586 1853ef GetCurrentProcess 3586->3605 3587 185410 MsgWaitForMultipleObjects 3587->3605 3589 1856b5 GetTickCount64 3602 1855d7 3589->3602 3590 1855fd PeekMessageW 3592 1855e0 TranslateMessage DispatchMessageW 3590->3592 3590->3602 3591 18529b GetCurrentThreadId 3591->3605 3592->3590 3594 185638 WaitForSingleObject 3594->3605 3595 b834c 49 API calls 3595->3602 3669 b7bc0 GetLastError 3596->3669 3598 1846c3 54 API calls 3598->3605 3602->3577 3602->3589 3602->3595 3604 1846c3 54 API calls 3602->3604 3602->3605 3603 1854c8 IsDebuggerPresent 3603->3605 3604->3602 3605->3577 3605->3584 3605->3586 3605->3587 3605->3589 3605->3590 3605->3591 3605->3594 3605->3596 3605->3598 3605->3602 3605->3603 3606 185514 WaitForMultipleObjects 3605->3606 3607 b834c 49 API calls 3605->3607 3614 1846c3 3605->3614 3626 cca1e GetCurrentThreadId 3605->3626 3629 1844c0 3605->3629 3638 18466c 3605->3638 3643 1832e5 3605->3643 3653 183570 3605->3653 3656 cca4d 3605->3656 3606->3605 3607->3605 3609 17f35a 3608->3609 3610 17f374 3608->3610 3609->3610 3671 41a555 3609->3671 3610->3573 3610->3596 3615 1846cf 3614->3615 3617 1846e3 3614->3617 3616 1844c0 54 API calls 3615->3616 3616->3617 3617->3602 3619 b838e 3618->3619 3620 b83f0 3618->3620 3719 b81e5 3619->3719 3620->3605 3622 b8396 3728 b8297 3622->3728 3624 b83c4 3734 b8160 3624->3734 3627 cca2e 3626->3627 3628 cca33 EnterCriticalSection 3626->3628 3627->3605 3628->3627 3630 1844d8 3629->3630 3631 1844df 3629->3631 3632 18466c 6 API calls 3630->3632 3633 1844fa 3631->3633 3634 1844e7 3631->3634 3632->3631 3636 1832e5 50 API calls 3633->3636 3953 182f03 3634->3953 3637 1844f8 3636->3637 3637->3605 3997 c4d25 3638->3997 3640 1846b5 3641 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 3640->3641 3642 1846bf 3641->3642 3642->3605 3644 183317 3643->3644 3645 183307 3643->3645 3647 b834c 49 API calls 3644->3647 3648 183338 3644->3648 3645->3644 3646 b834c 49 API calls 3645->3646 3646->3644 3647->3648 3649 c4d25 EventWriteTransfer 3648->3649 3650 183470 3648->3650 3649->3650 3651 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 3650->3651 3652 1834fb 3651->3652 3652->3605 4000 1835ac 3653->4000 3655 183599 3655->3605 3657 cca60 3656->3657 3658 cca53 LeaveCriticalSection 3656->3658 3657->3605 3658->3657 3660 185788 3659->3660 3661 18579d ___std_exception_copy 3659->3661 3660->3661 4071 18479c 3660->4071 3661->3581 3664 17f393 3663->3664 3665 17f38d 3663->3665 3667 17f3ae 3664->3667 3668 17f39f CoRevokeInitializeSpy 3664->3668 3666 17f3c2 51 API calls 3665->3666 3666->3664 3667->3571 3668->3667 3670 b7c03 3669->3670 3670->3585 3676 436ed7 Concurrency::cancel_current_task 3671->3676 3672 436f15 3683 41a844 3672->3683 3674 436f00 RtlAllocateHeap 3675 17f366 3674->3675 3674->3676 3675->3610 3678 17f1b0 CoRegisterInitializeSpy 3675->3678 3676->3672 3676->3674 3680 440994 3676->3680 3679 17f20b 3678->3679 3679->3610 3686 4409c1 3680->3686 3697 436d3d GetLastError 3683->3697 3685 41a849 3685->3675 3687 4409cd Concurrency::cancel_current_task 3686->3687 3692 43408d EnterCriticalSection 3687->3692 3689 4409d8 3693 440a14 3689->3693 3692->3689 3696 4340d5 LeaveCriticalSection 3693->3696 3695 44099f 3695->3676 3696->3695 3698 436d53 3697->3698 3699 436d59 3697->3699 3711 43c302 3698->3711 3710 436d5d ___std_exception_copy 3699->3710 3715 43c341 3699->3715 3702 436d75 3704 436da3 3702->3704 3705 436d92 3702->3705 3702->3710 3703 436de2 SetLastError 3703->3685 3707 43c341 ___std_exception_copy TlsSetValue 3704->3707 3706 43c341 ___std_exception_copy TlsSetValue 3705->3706 3706->3710 3708 436daf 3707->3708 3709 43c341 ___std_exception_copy TlsSetValue 3708->3709 3708->3710 3709->3710 3710->3703 3712 43c31e 3711->3712 3713 43c327 3712->3713 3714 43c339 TlsGetValue 3712->3714 3713->3699 3716 43c35d 3715->3716 3717 43c366 3716->3717 3718 43c37b TlsSetValue 3716->3718 3717->3702 3720 b8160 11 API calls 3719->3720 3721 b8216 3720->3721 3722 b8239 3721->3722 3723 b8291 3721->3723 3727 b823f 3721->3727 3740 b845f 3722->3740 3749 74a7a 3723->3749 3727->3622 3729 b8160 11 API calls 3728->3729 3730 b82c8 3729->3730 3731 b832a 3730->3731 3732 74a7a 38 API calls 3730->3732 3731->3624 3733 b834b 3732->3733 3735 b8197 3734->3735 3738 b8175 3734->3738 3938 40e362 EnterCriticalSection 3735->3938 3737 b81a3 3737->3738 3943 40e31e EnterCriticalSection LeaveCriticalSection 3737->3943 3738->3620 3741 b846c 3740->3741 3742 b8470 3740->3742 3741->3727 3743 41a555 Concurrency::cancel_current_task 7 API calls 3742->3743 3744 b8480 Concurrency::cancel_current_task 3742->3744 3743->3744 3744->3741 3762 410de4 3744->3762 3746 b84aa 3747 b84d6 3746->3747 3748 41a555 Concurrency::cancel_current_task 7 API calls 3746->3748 3747->3727 3748->3747 3765 409a83 3749->3765 3751 74a84 3752 74b27 ___std_exception_copy 3751->3752 3782 2e409 3751->3782 3790 40dc40 3752->3790 3754 74b46 3786 2e3de 3754->3786 3756 74bbe 3759 74bc2 3796 41a504 3759->3796 3763 410e2b KiUserExceptionDispatcher 3762->3763 3764 410dfe 3762->3764 3763->3746 3764->3763 3801 31569e 3765->3801 3768 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3769 409aa2 3768->3769 3804 25e8fd 3769->3804 3772 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3773 409ac2 3772->3773 3807 40994a 3773->3807 3776 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3777 409ae2 3776->3777 3811 a5c26 3777->3811 3780 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3781 409b02 InitializeCriticalSectionEx 3780->3781 3781->3751 3783 2e413 3782->3783 3783->3783 3841 2e430 3783->3841 3785 2e42b 3785->3754 3787 2e3f7 3786->3787 3788 2e3e9 3786->3788 3787->3752 3787->3759 3789 2e55d 33 API calls 3788->3789 3789->3787 3791 40dc4c 3790->3791 3792 40e4dd IsProcessorFeaturePresent 3790->3792 3791->3756 3793 40e4f2 3792->3793 3937 40e4b5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3793->3937 3795 40e5cf 3795->3756 3797 41a440 ___std_exception_copy 33 API calls 3796->3797 3798 41a513 3797->3798 3799 41a521 ___std_exception_copy 11 API calls 3798->3799 3800 41a520 3799->3800 3814 a5bf1 3801->3814 3805 a5bf1 std::exception::exception 34 API calls 3804->3805 3806 25e90b 3805->3806 3806->3772 3808 40995e std::_Xinvalid_argument 3807->3808 3809 a5bf1 std::exception::exception 34 API calls 3808->3809 3810 409967 3809->3810 3810->3776 3812 a5bf1 std::exception::exception 34 API calls 3811->3812 3813 a5c34 3812->3813 3813->3780 3817 40f406 3814->3817 3816 a5c1d 3816->3768 3818 40f440 ___std_exception_copy 3817->3818 3819 40f413 3817->3819 3818->3816 3819->3818 3820 41a555 Concurrency::cancel_current_task 7 API calls 3819->3820 3821 40f430 3820->3821 3821->3818 3823 420c61 3821->3823 3824 420c7d 3823->3824 3825 420c6f 3823->3825 3826 41a844 ___std_exception_copy 4 API calls 3824->3826 3825->3824 3830 420c95 3825->3830 3827 420c85 3826->3827 3832 41a4f4 3827->3832 3828 420c8f 3828->3818 3830->3828 3831 41a844 ___std_exception_copy 4 API calls 3830->3831 3831->3827 3835 41a440 3832->3835 3836 41a452 ___std_exception_copy 3835->3836 3837 41a477 ___std_exception_copy 33 API calls 3836->3837 3838 41a46a 3837->3838 3839 41a236 ___std_exception_copy 33 API calls 3838->3839 3840 41a475 3839->3840 3840->3828 3842 2e469 3841->3842 3844 2e43e 3841->3844 3845 2e49d 3842->3845 3844->3785 3846 2e512 3845->3846 3847 2e4b1 3845->3847 3877 2e3ae 3846->3877 3854 2e47e 3847->3854 3851 2e4cf 3852 2e508 3851->3852 3869 2e55d 3851->3869 3852->3844 3855 2e497 3854->3855 3856 2e48c 3854->3856 3901 2e35b 3855->3901 3882 2e518 3856->3882 3859 2e493 3859->3851 3861 2e512 3863 2e3ae 36 API calls 3861->3863 3862 2e4b1 3865 2e47e 38 API calls 3862->3865 3864 2e517 3863->3864 3866 2e4cf 3865->3866 3867 2e508 3866->3867 3868 2e55d 33 API calls 3866->3868 3867->3851 3868->3867 3870 2e565 3869->3870 3871 2e576 ___std_exception_copy 3869->3871 3870->3871 3872 41a504 3870->3872 3871->3852 3873 41a440 ___std_exception_copy 33 API calls 3872->3873 3874 41a513 3873->3874 3927 41a521 IsProcessorFeaturePresent 3874->3927 3876 41a520 3878 409a83 std::_Xinvalid_argument 36 API calls 3877->3878 3879 2e3b8 3878->3879 3880 2e3f7 3879->3880 3881 2e55d 33 API calls 3879->3881 3881->3880 3883 2e520 3882->3883 3884 2e546 3882->3884 3885 2e35b Concurrency::cancel_current_task 3883->3885 3886 2e52b 3883->3886 3887 41a555 Concurrency::cancel_current_task 7 API calls 3884->3887 3889 2e53c 3884->3889 3890 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3885->3890 3888 41a555 Concurrency::cancel_current_task 7 API calls 3886->3888 3893 2e531 Concurrency::cancel_current_task 3887->3893 3888->3893 3889->3859 3891 2e377 3890->3891 3907 2e2ce 3891->3907 3893->3889 3894 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3893->3894 3896 b8579 3894->3896 3910 4202d1 3896->3910 3898 b8588 3899 b858e 3898->3899 3900 41a555 Concurrency::cancel_current_task 7 API calls 3898->3900 3899->3859 3900->3899 3902 2e369 Concurrency::cancel_current_task 3901->3902 3903 410de4 Concurrency::cancel_current_task KiUserExceptionDispatcher 3902->3903 3904 2e377 3903->3904 3905 2e2ce std::exception::exception 34 API calls 3904->3905 3906 2e386 3905->3906 3906->3861 3906->3862 3908 40f406 ___std_exception_copy 34 API calls 3907->3908 3909 2e2f1 3908->3909 3909->3859 3911 43824b 3910->3911 3912 438258 3911->3912 3918 438263 Concurrency::cancel_current_task 3911->3918 3920 436ed7 3912->3920 3914 438279 3916 41a844 ___std_exception_copy 4 API calls 3914->3916 3915 43829e HeapReAlloc 3917 438260 3915->3917 3915->3918 3916->3917 3917->3898 3918->3914 3918->3915 3918->3917 3919 440994 Concurrency::cancel_current_task 2 API calls 3918->3919 3919->3918 3921 436f15 3920->3921 3926 436ee5 Concurrency::cancel_current_task 3920->3926 3922 41a844 ___std_exception_copy GetLastError SetLastError TlsGetValue TlsSetValue 3921->3922 3924 436f13 3922->3924 3923 436f00 RtlAllocateHeap 3923->3924 3923->3926 3924->3917 3925 440994 Concurrency::cancel_current_task EnterCriticalSection LeaveCriticalSection 3925->3926 3926->3921 3926->3923 3926->3925 3928 41a52d 3927->3928 3931 41a2fe 3928->3931 3932 41a31a ___std_exception_copy 3931->3932 3933 41a346 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3932->3933 3936 41a411 ___std_exception_copy 3933->3936 3934 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 3935 41a42f GetCurrentProcess TerminateProcess 3934->3935 3935->3876 3936->3934 3937->3795 3942 40e376 3938->3942 3939 40e37b LeaveCriticalSection 3939->3737 3942->3939 3948 40e3e7 3942->3948 3944 40e3b1 3943->3944 3945 40e3bc WakeAllConditionVariable 3944->3945 3946 40e3cd SetEvent ResetEvent 3944->3946 3945->3738 3946->3738 3949 40e3f5 SleepConditionVariableCS 3948->3949 3950 40e40e LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 3948->3950 3951 40e432 3949->3951 3950->3951 3951->3942 3961 17f48a 3953->3961 3955 182f22 3955->3637 3956 182fab 3978 17f5c3 3956->3978 3957 182f1e 3957->3955 3957->3956 3958 182f9e ResetEvent 3957->3958 3958->3956 3960 182feb 3960->3637 3962 17f4d7 3961->3962 3963 17f49d 3961->3963 3964 b834c 49 API calls 3962->3964 3963->3962 3965 17f4ab 3963->3965 3966 17f4ce 3963->3966 3967 17f4c1 3964->3967 3988 17f3c2 3965->3988 3966->3957 3969 b834c 49 API calls 3967->3969 3970 17f4c7 3967->3970 3971 17f4f0 3969->3971 3970->3957 3972 17f4fc 3971->3972 3973 b834c 49 API calls 3971->3973 3974 17f517 3972->3974 3975 17f52a CoUninitialize 3972->3975 3973->3972 3976 b834c 49 API calls 3974->3976 3975->3957 3977 17f521 3976->3977 3977->3957 3979 17f61b 3978->3979 3984 17f5d1 3978->3984 3980 17f651 3979->3980 3982 b834c 49 API calls 3979->3982 3980->3960 3981 17f5f1 3981->3960 3983 17f62e 3982->3983 3986 17f63a 3983->3986 3987 b834c 49 API calls 3983->3987 3984->3981 3985 b834c 49 API calls 3984->3985 3985->3981 3986->3960 3987->3980 3989 17f3dc 3988->3989 3996 17f3d5 3988->3996 3990 17f3f7 3989->3990 3991 17f3e3 3989->3991 3993 17f435 3990->3993 3994 17f42c CoUninitialize 3990->3994 3992 b834c 49 API calls 3991->3992 3992->3996 3995 17f439 CoInitializeEx 3993->3995 3993->3996 3994->3993 3995->3996 3996->3967 3998 c4d3c EventWriteTransfer 3997->3998 3998->3640 4002 1835e7 4000->4002 4001 183616 LeaveCriticalSection 4001->4002 4002->4001 4003 1836de GetCurrentThreadId 4002->4003 4004 183690 GetCurrentThreadId 4002->4004 4010 18372f 4002->4010 4003->4002 4005 1836fc EnterCriticalSection 4003->4005 4004->4002 4006 1836b7 EnterCriticalSection 4004->4006 4005->4002 4006->4002 4007 1837fb 4008 18380b LeaveCriticalSection 4007->4008 4018 18381c ___std_exception_copy 4007->4018 4008->4018 4009 1837c0 ___std_exception_copy 4009->4007 4011 1838bc 4009->4011 4019 1838a8 ___std_exception_copy 4009->4019 4010->4009 4012 1837bd ResetEvent 4010->4012 4013 1838d1 LeaveCriticalSection 4011->4013 4014 1838e2 4011->4014 4012->4009 4013->4014 4022 182934 4014->4022 4016 183851 SetEvent 4016->4018 4018->4016 4018->4019 4020 18387c ResetEvent 4018->4020 4019->3655 4020->4018 4021 18390c ResetEvent 4021->4019 4023 18294a 4022->4023 4024 182954 4022->4024 4030 17d343 4023->4030 4038 17e8c7 4024->4038 4027 182952 4028 182971 4027->4028 4029 b834c 49 API calls 4027->4029 4028->4019 4028->4021 4029->4028 4031 17d366 GetTickCount64 4030->4031 4036 17d376 4030->4036 4031->4036 4032 17d42a 4032->4027 4033 17d3ac PeekMessageW 4035 17d3c8 TranslateMessage DispatchMessageW 4033->4035 4033->4036 4034 17d3e4 GetTickCount64 4034->4036 4035->4036 4036->4032 4036->4033 4036->4034 4037 b834c 49 API calls 4036->4037 4037->4036 4039 17e8f2 GetTickCount64 4038->4039 4040 17e8ea 4038->4040 4039->4040 4050 cd344 GetCurrentThreadId 4040->4050 4043 17e902 4044 17e915 GetTickCount64 4043->4044 4045 17e976 4043->4045 4047 17e985 4043->4047 4049 b834c 49 API calls 4043->4049 4051 cd344 GetCurrentThreadId 4043->4051 4052 168ff7 4043->4052 4044->4043 4046 b834c 49 API calls 4045->4046 4045->4047 4046->4047 4047->4027 4049->4043 4050->4043 4051->4043 4053 169007 4052->4053 4054 16901f WaitForMultipleObjectsEx 4052->4054 4060 cd344 GetCurrentThreadId 4053->4060 4055 16901d 4054->4055 4055->4043 4057 16900c 4057->4054 4058 169010 4057->4058 4061 168f13 4058->4061 4060->4057 4062 168f4b 4061->4062 4063 168f39 GetTickCount64 4061->4063 4064 168f51 WaitForMultipleObjectsEx 4062->4064 4063->4064 4065 168fd1 4064->4065 4069 168f65 4064->4069 4065->4055 4066 168f76 GetTickCount64 4066->4069 4067 b834c 49 API calls 4067->4069 4068 168fb9 WaitForMultipleObjectsEx 4068->4065 4068->4069 4069->4066 4069->4067 4069->4068 4070 168faf GetTickCount64 4069->4070 4070->4068 4072 1847a9 CloseHandle 4071->4072 4073 1847b7 DeleteCriticalSection 4071->4073 4072->4073 4073->3661 4074 a6cfe 4075 a6d15 4074->4075 4076 2e47e 38 API calls 4075->4076 4077 a6d1c 4075->4077 4076->4077 4518 41bb35 4519 41bb3a 4518->4519 4520 41bb4d 4518->4520 4521 41a844 ___std_exception_copy 4 API calls 4519->4521 4522 41bb3f 4521->4522 4523 41a4f4 ___std_exception_copy 33 API calls 4522->4523 4524 41bb4a 4523->4524 4528 40dc36 4531 40ece8 4528->4531 4530 40dc3b 4530->4530 4532 40ecfe 4531->4532 4534 40ed07 4532->4534 4535 40ec9b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 4532->4535 4534->4530 4535->4534 4536 4091b7 4537 409144 4536->4537 4538 443c02 ___delayLoadHelper2@8 14 API calls 4537->4538 4538->4537 4539 4134db 4540 4134ed 4539->4540 4542 4134fb @_EH4_CallFilterFunc@8 4539->4542 4541 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4540->4541 4541->4542 4543 4441de 4553 40f666 4543->4553 4554 40f684 4553->4554 4588 40f634 4554->4588 4589 40f653 4588->4589 4590 40f646 4588->4590 4591 40dc40 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 4590->4591 4591->4589 4646 608dd 4647 608f6 4646->4647 4648 6091c 4646->4648 4649 608fd 4647->4649 4650 6094b 4647->4650 4652 2e518 37 API calls 4649->4652 4651 2e35b Concurrency::cancel_current_task 35 API calls 4650->4651 4653 60950 4651->4653 4654 6090a 4652->4654 4655 2e55d 33 API calls 4653->4655 4654->4648 4657 2e55d 33 API calls 4654->4657 4656 60960 4655->4656 4657->4648 4273 43331d 4276 43314b 4273->4276 4277 43318a 4276->4277 4278 433178 4276->4278 4289 432ff4 4277->4289 4297 43320e GetModuleHandleW 4278->4297 4283 4331c7 4284 4331d4 4304 4331dd 4284->4304 4290 433000 Concurrency::cancel_current_task 4289->4290 4311 43408d EnterCriticalSection 4290->4311 4292 43300a 4312 433060 4292->4312 4294 433017 4316 433035 4294->4316 4298 43317d 4297->4298 4298->4277 4299 433273 GetModuleHandleExW 4298->4299 4300 4332b2 GetProcAddress 4299->4300 4301 4332c6 4299->4301 4300->4301 4302 433189 4301->4302 4303 4332d9 FreeLibrary 4301->4303 4302->4277 4303->4302 4335 433251 4304->4335 4307 4331fb 4309 433273 ___std_exception_copy 3 API calls 4307->4309 4308 4331eb GetCurrentProcess TerminateProcess 4308->4307 4310 433203 ExitProcess 4309->4310 4311->4292 4313 43306c Concurrency::cancel_current_task 4312->4313 4315 4330d3 ___std_exception_copy 4313->4315 4319 43656e 4313->4319 4315->4294 4334 4340d5 LeaveCriticalSection 4316->4334 4318 433023 4318->4283 4318->4284 4320 43657a __EH_prolog3 4319->4320 4323 4362c6 4320->4323 4322 4365a1 ___std_exception_copy 4322->4315 4324 4362d2 Concurrency::cancel_current_task 4323->4324 4329 43408d EnterCriticalSection 4324->4329 4326 4362e0 ___std_exception_copy 4330 436315 4326->4330 4329->4326 4333 4340d5 LeaveCriticalSection 4330->4333 4332 4362fe 4332->4322 4333->4332 4334->4318 4340 43d48c GetPEB 4335->4340 4337 433256 4338 4331e7 4337->4338 4339 43325b GetPEB 4337->4339 4338->4307 4338->4308 4339->4338 4341 43d4a6 ___std_exception_copy 4340->4341 4341->4337 4342 42c99d 4343 42c9a9 Concurrency::cancel_current_task 4342->4343 4344 42c9b0 GetLastError ExitThread 4343->4344 4345 42c9bd 4343->4345 4354 436bec GetLastError 4345->4354 4347 42c9c2 4386 43d449 4347->4386 4349 42c9cd 4389 42cb7c 4349->4389 4355 436c02 4354->4355 4358 436c08 4354->4358 4357 43c302 ___std_exception_copy TlsGetValue 4355->4357 4356 43c341 ___std_exception_copy TlsSetValue 4360 436c24 4356->4360 4357->4358 4358->4356 4375 436c0c ___std_exception_copy 4358->4375 4359 436c91 SetLastError 4361 436ca1 4359->4361 4362 436c9c 4359->4362 4363 436c52 4360->4363 4364 436c41 4360->4364 4360->4375 4402 420e5a 4361->4402 4362->4347 4367 43c341 ___std_exception_copy TlsSetValue 4363->4367 4366 43c341 ___std_exception_copy TlsSetValue 4364->4366 4366->4375 4369 436c5e 4367->4369 4373 43c341 ___std_exception_copy TlsSetValue 4369->4373 4369->4375 4370 436cb8 4372 43c341 ___std_exception_copy TlsSetValue 4370->4372 4374 436cbe 4370->4374 4371 43c302 ___std_exception_copy TlsGetValue 4371->4370 4377 436cd2 4372->4377 4373->4375 4376 420e5a ___std_exception_copy 31 API calls 4374->4376 4385 436cc3 ___std_exception_copy 4374->4385 4375->4359 4378 436d3c 4376->4378 4377->4374 4379 436cea 4377->4379 4380 436cff 4377->4380 4382 43c341 ___std_exception_copy TlsSetValue 4379->4382 4381 43c341 ___std_exception_copy TlsSetValue 4380->4381 4383 436d0b 4381->4383 4382->4374 4384 43c341 ___std_exception_copy TlsSetValue 4383->4384 4383->4385 4384->4374 4385->4347 4387 43d45a GetPEB 4386->4387 4388 43d46d 4386->4388 4387->4388 4388->4349 4464 42ca52 4389->4464 4413 430aa1 4402->4413 4405 420e6a 4407 420e93 4405->4407 4408 420e74 IsProcessorFeaturePresent 4405->4408 4443 43331d 4407->4443 4410 420e80 4408->4410 4411 41a2fe ___std_exception_copy 8 API calls 4410->4411 4411->4407 4446 4309d3 4413->4446 4416 430ae6 4417 430af2 Concurrency::cancel_current_task 4416->4417 4418 436d3d ___std_exception_copy 4 API calls 4417->4418 4423 430b1f ___std_exception_copy 4417->4423 4424 430b19 ___std_exception_copy 4417->4424 4418->4424 4419 430b66 4421 41a844 ___std_exception_copy 4 API calls 4419->4421 4420 430b50 4420->4405 4422 430b6b 4421->4422 4425 41a4f4 ___std_exception_copy 33 API calls 4422->4425 4426 430b92 4423->4426 4457 43408d EnterCriticalSection 4423->4457 4424->4419 4424->4420 4424->4423 4425->4420 4429 430cb8 4426->4429 4431 430bd4 4426->4431 4440 430c03 4426->4440 4435 430cc3 4429->4435 4462 4340d5 LeaveCriticalSection 4429->4462 4434 436bec ___std_exception_copy 33 API calls 4431->4434 4431->4440 4433 43331d ___std_exception_copy 11 API calls 4436 430ccb 4433->4436 4438 430bf8 4434->4438 4435->4433 4437 436bec ___std_exception_copy 33 API calls 4441 430c58 4437->4441 4439 436bec ___std_exception_copy 33 API calls 4438->4439 4439->4440 4458 430ccc 4440->4458 4441->4420 4442 436bec ___std_exception_copy 33 API calls 4441->4442 4442->4420 4444 43314b ___std_exception_copy 11 API calls 4443->4444 4445 420e9d 4444->4445 4445->4370 4445->4371 4447 4309df Concurrency::cancel_current_task 4446->4447 4452 43408d EnterCriticalSection 4447->4452 4449 4309ed 4453 430a2b 4449->4453 4452->4449 4456 4340d5 LeaveCriticalSection 4453->4456 4455 420e5f 4455->4405 4455->4416 4456->4455 4457->4426 4459 430cd2 4458->4459 4460 430c49 4458->4460 4463 4340d5 LeaveCriticalSection 4459->4463 4460->4420 4460->4437 4460->4441 4462->4435 4463->4460 4465 436d3d ___std_exception_copy 4 API calls 4464->4465 4467 42ca5d 4465->4467 4466 42ca9f ExitThread 4467->4466 4468 42ca89 4467->4468 4469 42ca82 CloseHandle 4467->4469 4468->4466 4470 42ca95 FreeLibraryAndExitThread 4468->4470 4469->4468 4470->4466

                                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                                      Function 00180B2E Relevance: 31.9, APIs: 21, Instructions: 404threadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 0 180b2e-180b5f FlsGetValue 1 180ba0-180ba4 0->1 2 180b61-180b6d GetCurrentThreadId 0->2 3 180bb0-180bc9 1->3 4 180ba6-180bab call b834c 1->4 2->1 5 180b6f-180b82 FlsSetValue 2->5 7 180bcb-180bcd 3->7 8 180bd0-180bdd 3->8 4->3 5->1 9 180b84-180b8f call 1821bf 5->9 7->8 10 180bcf 7->10 11 180c8d-180cba GetQueuedCompletionStatus 8->11 12 180be3-180be6 8->12 21 180b9d 9->21 22 180b91-180b9b call b834c 9->22 10->8 17 180cbc-180cbe 11->17 18 180cc0-180cc6 GetLastError 11->18 14 180c88 12->14 15 180bec-180c08 GetCurrentThread GetThreadIOPendingFlag 12->15 14->11 19 180c0a-180c0f 15->19 20 180c11-180c1d call 17fb83 15->20 23 180cc8-180cd8 17->23 18->23 19->20 26 180c23-180c33 FlsGetValue 19->26 20->26 44 180d9d-180daf call 40dc40 20->44 21->1 22->1 24 180e1b-180e1d 23->24 25 180cde-180ce0 23->25 30 180f48-180f4f 24->30 31 180e23-180e25 24->31 25->24 29 180ce6-180ced 25->29 33 180c74-180c78 26->33 34 180c35-180c41 GetCurrentThreadId 26->34 36 180cef-180d42 call c4d25 29->36 37 180d46-180d48 29->37 42 180fbc-180fd2 call 18067f 30->42 43 180f51-180fb8 call c4d25 30->43 38 180e39-180e40 31->38 39 180e27-180e35 call b834c 31->39 40 180c7a-180c7f call b834c 33->40 41 180c84 33->41 34->33 45 180c43-180c56 FlsSetValue 34->45 36->37 51 180d4a-180d4f call b834c 37->51 52 180d54-180d5a 37->52 53 180ead-180ed9 call 180428 FlsGetValue 38->53 54 180e42-180ea9 call c4d25 38->54 39->38 40->41 41->14 42->3 69 180fd8-180fdb 42->69 43->42 45->33 46 180c58-180c63 call 1821bf 45->46 75 180c71 46->75 76 180c65-180c6f call b834c 46->76 51->52 64 180d5c-180d61 call b834c 52->64 65 180d66-180d82 GetCurrentThread GetThreadIOPendingFlag 52->65 80 180edb-180ee7 GetCurrentThreadId 53->80 81 180f13-180f19 53->81 54->53 64->65 72 180d8b-180d9b call 17fb83 65->72 73 180d84-180d89 65->73 77 1810ab-1810ad 69->77 78 180fe1 69->78 72->44 86 180db6-180dc6 FlsGetValue 72->86 73->72 79 180db2 73->79 75->33 76->33 83 1810be-1810d0 call 40dc40 77->83 84 1810af-1810b2 77->84 87 180fe5-180fec 78->87 79->86 90 180ee9-180ef8 FlsSetValue 80->90 91 180f0f 80->91 88 180f1b-180f20 call b834c 81->88 89 180f25-180f2c 81->89 84->83 93 1810b4-1810b9 call b834c 84->93 96 180dc8-180dd4 GetCurrentThreadId 86->96 97 180e07-180e0b 86->97 98 180ff0-18100a call cd0bd 87->98 88->89 89->3 100 180f32-180f34 89->100 90->91 101 180efa-180f03 call 1821bf 90->101 91->81 93->83 96->97 105 180dd6-180de9 FlsSetValue 96->105 97->3 108 180e11 97->108 115 18100c-181010 98->115 116 181082-18108f call 180a27 98->116 100->44 107 180f3a-180f3e 100->107 112 180f43-180f46 101->112 113 180f05-180f0a call b834c 101->113 105->97 110 180deb-180df6 call 1821bf 105->110 107->87 108->24 120 180df8-180e02 call b834c 110->120 121 180e04 110->121 112->81 113->91 122 181014-18102a FlsGetValue 115->122 116->3 127 181095-181097 116->127 120->97 121->97 125 18106a-181070 122->125 126 18102c-181038 GetCurrentThreadId 122->126 128 18107c-18107e 125->128 129 181072-181077 call b834c 125->129 131 18103a-18104d FlsSetValue 126->131 132 181066 126->132 127->44 133 18109d-1810a1 127->133 128->116 129->128 131->132 135 18104f-18105a call 1821bf 131->135 132->125 133->98 138 18105c-181061 call b834c 135->138 139 1810a6-1810a9 135->139 138->132 139->125
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,00000000,?), ref: 00180B55
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00180B61
                                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?), ref: 00180B7A
                                                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00180BF9
                                                                                                                                                                                                                                                      • GetThreadIOPendingFlag.KERNEL32(00000000), ref: 00180C00
                                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,00000001), ref: 00180C29
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00180C35
                                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?), ref: 00180C4E
                                                                                                                                                                                                                                                      • GetQueuedCompletionStatus.KERNEL32(?,?,?,?), ref: 00180CB0
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00180CC0
                                                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00180D73
                                                                                                                                                                                                                                                      • GetThreadIOPendingFlag.KERNEL32(00000000), ref: 00180D7A
                                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,00000001), ref: 00180DBC
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00180DC8
                                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,00000000,?,?,00000000,?), ref: 00180ECD
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00180EDB
                                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?), ref: 00180EF0
                                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?), ref: 0018101E
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0018102C
                                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?), ref: 00181045
                                                                                                                                                                                                                                                        • Part of subcall function 000C4D25: EventWriteTransfer.ADVAPI32(0065CDE0,00000034,004E05E8,00000000,00000000,?,?,?,?,?,?,00183470,?,00000002,?,?), ref: 000C4D5E
                                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?), ref: 00180DE1
                                                                                                                                                                                                                                                        • Part of subcall function 001821BF: FlsGetValue.KERNEL32(?,00000000,?,001821A7,?,00181160,00000000,00000000), ref: 001821C6
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Value$Thread$Current$FlagPending$CompletionErrorEventLastQueuedStatusTransferWrite
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 346566023-0
                                                                                                                                                                                                                                                      • Opcode ID: 84a7348915ffb7b447428a2d9075cb085faacff6faf9622419656ec51b9515a4
                                                                                                                                                                                                                                                      • Instruction ID: 91d01b04f992b456886db0ae793b68d5b1c327b14250fdf08de7a030e8b2d8e0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84a7348915ffb7b447428a2d9075cb085faacff6faf9622419656ec51b9515a4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21F166716087459FC726EF60C944A2EB7E5BF88714F18892DF88597291DB30EE09CF92
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 001850CB Relevance: 18.5, APIs: 12, Instructions: 516windowsynchronizationthreadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • RevertToSelf.KERNELBASE ref: 00185163
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 001852A1
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 0018539A
                                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000), ref: 001853F1
                                                                                                                                                                                                                                                      • MsgWaitForMultipleObjects.USER32(?,?,00000000,?,000004FF), ref: 00185425
                                                                                                                                                                                                                                                        • Part of subcall function 000CCA1E: GetCurrentThreadId.KERNEL32 ref: 000CCA22
                                                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 001854C8
                                                                                                                                                                                                                                                      • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000012C), ref: 00185530
                                                                                                                                                                                                                                                      • TranslateMessage.USER32(?), ref: 001855E5
                                                                                                                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 001855F0
                                                                                                                                                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000003), ref: 00185602
                                                                                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00185641
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 001856B5
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CurrentMessageWait$Count64MultipleObjectsThreadTick$DebuggerDispatchObjectPeekPresentProcessRevertSelfSingleTranslate
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1185840874-0
                                                                                                                                                                                                                                                      • Opcode ID: bcf5e51d4dc93553bbaeffabdde28d5c7e96cc0fbd89860c0b3754072a72ca32
                                                                                                                                                                                                                                                      • Instruction ID: 86f1b3739fe70a511350e507e5b3ffb2ac230592191e3d575dc1315b62f802f2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcf5e51d4dc93553bbaeffabdde28d5c7e96cc0fbd89860c0b3754072a72ca32
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5129C70604B419FD718EF34C884A6AB7E6FF88304F54496DE896C7291EB70EA45CF52
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 001810D3 Relevance: 6.1, APIs: 4, Instructions: 88threadsleepCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 309 1810d3-181116 call 17f32d RevertToSelf 312 181118-181126 call 182186 309->312 313 181144-181152 call b834c call 17fb83 309->313 312->313 318 181128-18112b 312->318 321 181157-181163 call 182186 313->321 320 181130-181136 call 180b2e 318->320 325 18113b-18113d 320->325 326 181187-18118e 321->326 327 18112d 325->327 328 18113f-181142 325->328 329 181190-1811a3 call 17f381 326->329 330 181165-181178 GetCurrentThread GetThreadIOPendingFlag 326->330 327->320 328->321 335 1811b0-1811b2 329->335 330->329 331 18117a-18117d 330->331 331->329 333 18117f-181181 Sleep 331->333 333->326 336 1811b4-1811c8 335->336 337 1811a5-1811ab 335->337 337->335
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • RevertToSelf.KERNELBASE(00000000,00000001,D0B23B53), ref: 0018110E
                                                                                                                                                                                                                                                        • Part of subcall function 00182186: FlsSetValue.KERNEL32(?,?,?,?,00181160,00000000,00000000), ref: 00182192
                                                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00181169
                                                                                                                                                                                                                                                      • GetThreadIOPendingFlag.KERNEL32(00000000), ref: 00181170
                                                                                                                                                                                                                                                      • Sleep.KERNEL32(00000001), ref: 00181181
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: FlsGetValue.KERNEL32(?,00000000,?), ref: 00180B55
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: GetCurrentThreadId.KERNEL32 ref: 00180B61
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: FlsSetValue.KERNEL32(?,?), ref: 00180B7A
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: GetCurrentThread.KERNEL32 ref: 00180BF9
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: GetThreadIOPendingFlag.KERNEL32(00000000), ref: 00180C00
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: FlsGetValue.KERNEL32(?,00000001), ref: 00180C29
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: GetCurrentThreadId.KERNEL32 ref: 00180C35
                                                                                                                                                                                                                                                        • Part of subcall function 00180B2E: FlsSetValue.KERNEL32(?,?), ref: 00180C4E
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Thread$Value$Current$FlagPending$RevertSelfSleep
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 282077167-0
                                                                                                                                                                                                                                                      • Opcode ID: 2b88a94827d6b3f8d06fb671e58e139fecc4f5512a6dd3b1c2513a0012a70b05
                                                                                                                                                                                                                                                      • Instruction ID: 91409a26a5a15414bd40552427195c199a2bfc98ceb0a0356f3f95159ce630fc
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b88a94827d6b3f8d06fb671e58e139fecc4f5512a6dd3b1c2513a0012a70b05
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D731AF72600604BBCB10EF65CC88AAEB7B8FF45B50F14452DF91697641DB30A902CF90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00410DE4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 338 410de4-410dfc 339 410e2b-410e4d KiUserExceptionDispatcher 338->339 340 410dfe-410e01 338->340 341 410e21-410e24 340->341 342 410e03-410e1f 340->342 341->339 343 410e26 341->343 342->339 342->341 343->339
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,?,001C12DB,0044A9EF,?,00409AA2,?,00654164,00000000,?,00000000,?,0044A9EF,000000FF), ref: 00410E44
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                      • String ID: dAe
                                                                                                                                                                                                                                                      • API String ID: 6842923-1680167293
                                                                                                                                                                                                                                                      • Opcode ID: 13a2bbf2f2ffef0e97b773189aea74d79a9dcdba5aaf9dfa4efc9cf89661ecda
                                                                                                                                                                                                                                                      • Instruction ID: 93e629074cd27d6841d31946e9a6bec5982b451eb87d1ca852ba3691c3e69942
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13a2bbf2f2ffef0e97b773189aea74d79a9dcdba5aaf9dfa4efc9cf89661ecda
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E01A275900309ABCB11AF5DD880BAEBBB8FF44710F15459AED05AB3A0D7B4ED41CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0042C99D Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32(006548C0,0000000C), ref: 0042C9B0
                                                                                                                                                                                                                                                      • ExitThread.KERNEL32 ref: 0042C9B7
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorExitLastThread
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1611280651-0
                                                                                                                                                                                                                                                      • Opcode ID: 1db49d8e022ec03eaf4d1ccc9fe949a548305dd21bca15dd10350864b20ab3ad
                                                                                                                                                                                                                                                      • Instruction ID: ae7e84845ed7623d11a8a6098925610311cb191f04732744922b1fb5fb929f36
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1db49d8e022ec03eaf4d1ccc9fe949a548305dd21bca15dd10350864b20ab3ad
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19F0C871A00A15AFDB01BF71E88AA6E7B75EF45305F20455FF4019B291CB38AD40CF69
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00182F03 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 365 182f03-182f20 call 17f48a 368 182f31-182f4a 365->368 369 182f22-182f2e 365->369 370 182f4c-182f63 368->370 371 182f66-182f77 368->371 370->371 373 182f79-182f7f 371->373 374 182fb6-182fbb 371->374 373->374 377 182f81-182f85 373->377 375 182fd8-182fda 374->375 376 182fbd-182fc0 374->376 382 182fdf-182ff1 call 17f5c3 375->382 376->375 379 182fc2-182fcb 376->379 377->374 378 182f87-182f94 377->378 378->374 380 182f96-182f9c 378->380 379->375 381 182fcd-182fd5 379->381 383 182fab-182faf 380->383 384 182f9e-182fa7 ResetEvent 380->384 381->375 383->374 384->383
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: EventReset
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2632953641-0
                                                                                                                                                                                                                                                      • Opcode ID: 159d2baa0a27b12b3c65d1cc0324bb651107e921e301aa3206da2728e4317f89
                                                                                                                                                                                                                                                      • Instruction ID: 7bb8f1a3699f2286d22eae88e8c245e26e508319c96ec298fd7f073e0e9b814b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 159d2baa0a27b12b3c65d1cc0324bb651107e921e301aa3206da2728e4317f89
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D931BF71200B418BD722EF28C444B67BBF4FF58314F04092EEA928B692D732E946CBD1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0002E47E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 387 2e47e-2e48a 388 2e497-2e4af call 2e35b 387->388 389 2e48c-2e48e call 2e518 387->389 395 2e512-2e517 call 2e3ae 388->395 396 2e4b1-2e4ca call 2e580 call 2e47e 388->396 392 2e493-2e494 389->392 402 2e4cf-2e4f8 call 410890 396->402 405 2e4fa-2e503 call 2e55d 402->405 406 2e508-2e50f 402->406 405->406
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0002E497
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                                                                                                                                      • Opcode ID: 704996b0ca01862e1e2391e5692c0533a9a6dc45f5c0a643d2a6f7e09772fee7
                                                                                                                                                                                                                                                      • Instruction ID: 11198d9bb02893812a0a8562813637215dc72aa3b7f92bb47cf688d8f624ed3e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 704996b0ca01862e1e2391e5692c0533a9a6dc45f5c0a643d2a6f7e09772fee7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E411E571610225ABCB14EF68E8849AEB7EAFF89310750462DF519CB642EB30ED50C7E4
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00436ED7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 408 436ed7-436ee3 409 436f15-436f20 call 41a844 408->409 410 436ee5-436ee7 408->410 417 436f22-436f24 409->417 412 436f00-436f11 RtlAllocateHeap 410->412 413 436ee9-436eea 410->413 415 436f13 412->415 416 436eec-436ef3 call 43628b 412->416 413->412 415->417 416->409 420 436ef5-436efe call 440994 416->420 420->409 420->412
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0017F366,00000038,?,?,?,0018510E,00000000,00000001), ref: 00436F09
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                                                      • Opcode ID: 7e429dce23c8a8597f027004aad31abf4bd5cf2421fb664baaba88f150cfc274
                                                                                                                                                                                                                                                      • Instruction ID: 659f7a04a7a70d93e34b8a48ec762838a0021c9b32f73d88ca45f61b6285354b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e429dce23c8a8597f027004aad31abf4bd5cf2421fb664baaba88f150cfc274
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EE0E53110422377E7212726AC05BAB7A489B097E4F0BA127FC1492391DB2CCC0086AD
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                                      Function 0043D449 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ea1e141ee4ae02db7c317009355075fe9aa6e79c8ef47dfd8fcae3dd6d392cc6
                                                                                                                                                                                                                                                      • Instruction ID: 320f8bb2647f1139ccd39ec0cff91023dc0542484fd8ccb2bdfd152ffb3553ab
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea1e141ee4ae02db7c317009355075fe9aa6e79c8ef47dfd8fcae3dd6d392cc6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46F0A071A10324ABCB12CB8CD405A4973A8EB48B64F0151ABE000DB240C274ED00CBC4
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0043D48C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c0f9414f47634aeb91a0dea5a82ebd76113e04827b695129cbc136b9a336a653
                                                                                                                                                                                                                                                      • Instruction ID: da1f6cc83a14803da2ee5c986c29a91f97d139a22a75cfb9abbe63e008cafd2b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0f9414f47634aeb91a0dea5a82ebd76113e04827b695129cbc136b9a336a653
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FE04632912228EBCB15DB89994498AF2ACEB48B04F51009AB941E3201C278EE00DBD4
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00433251 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3083d3325f57a57b74647d63a94b30f99ccf9c8beca480cf5c34aa5ce54bf61e
                                                                                                                                                                                                                                                      • Instruction ID: 0cb844458854f64a05fde77ede91d4c5a9df9b881141963ac4bf4ca7397ce180
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3083d3325f57a57b74647d63a94b30f99ccf9c8beca480cf5c34aa5ce54bf61e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46C08C3400090086CE298D5082713A73394B3A97C3F8064CED8020B753C52EED8AD644
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0007EFA1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 348COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 0007EFA8
                                                                                                                                                                                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 0007F0EF
                                                                                                                                                                                                                                                        • Part of subcall function 00409A83: std::bad_exception::bad_exception.LIBCMT ref: 00409A8F
                                                                                                                                                                                                                                                        • Part of subcall function 00409A83: std::bad_exception::bad_exception.LIBCMT ref: 00409AAF
                                                                                                                                                                                                                                                        • Part of subcall function 00409A83: std::bad_exception::bad_exception.LIBCMT ref: 00409AEF
                                                                                                                                                                                                                                                        • Part of subcall function 00409A83: InitializeCriticalSectionEx.KERNEL32(?,00000FA0,00000000,?,?,00655528,?,?,?,?), ref: 00409B17
                                                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0007F0F4
                                                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 0007F101
                                                                                                                                                                                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 0007F254
                                                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0007F259
                                                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 0007F266
                                                                                                                                                                                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 0007F392
                                                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0007F397
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_taskH_prolog3Xinvalid_argumentstd::_std::bad_exception::bad_exception$CriticalInitializeSection
                                                                                                                                                                                                                                                      • String ID: unordered_map/set too long
                                                                                                                                                                                                                                                      • API String ID: 209365456-306623848
                                                                                                                                                                                                                                                      • Opcode ID: 6ee5f9b81166411b6d05c3070bb4ff244e3ab7f448c0b953cfec8bd7226d217b
                                                                                                                                                                                                                                                      • Instruction ID: e94c3cdba33a62c2975a66fd25cb07f0aadb33b4fc4da054b252cb34d6b1fa3e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ee5f9b81166411b6d05c3070bb4ff244e3ab7f448c0b953cfec8bd7226d217b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35E19075A0060ADFCB10DFA9C480AADB7F4FF59314B14C66AE849AB342D738E951CB94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 001835AC Relevance: 16.8, APIs: 11, Instructions: 304threadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(?,D0B23B53,?,?), ref: 00183621
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0018369A
                                                                                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 001836BB
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 001836EA
                                                                                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00183700
                                                                                                                                                                                                                                                      • ResetEvent.KERNEL32(?,D0B23B53,?,?), ref: 001837BE
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(?,D0B23B53,?,?), ref: 00183816
                                                                                                                                                                                                                                                      • SetEvent.KERNEL32(?,D0B23B53,?,?), ref: 00183858
                                                                                                                                                                                                                                                      • ResetEvent.KERNEL32(?), ref: 0018387D
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(?,D0B23B53,?,?), ref: 001838DC
                                                                                                                                                                                                                                                      • ResetEvent.KERNEL32(?,D0B23B53,?,?), ref: 0018390D
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CriticalSection$Event$LeaveReset$CurrentEnterThread
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2955375572-0
                                                                                                                                                                                                                                                      • Opcode ID: 3d5e277a4da4cc5e0f31551258ac9d079e33b573f7bb8163c3b2899607671478
                                                                                                                                                                                                                                                      • Instruction ID: 8837eaa8632ad183521aee7986f684d7cb22781d3bfc0b0256d2c2d659c248b1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d5e277a4da4cc5e0f31551258ac9d079e33b573f7bb8163c3b2899607671478
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6C1CEB19006459BDB24EF68C4487A9BBF4BF09724F294699E8659B392D730DF44CF80
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040F666 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 0040F69D
                                                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0040F6A5
                                                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 0040F72E
                                                                                                                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0040F759
                                                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 0040F7AE
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                      • Opcode ID: 57148da49229c5613d9cf9274cfbbe57b8d7ba6eada466f0cdd71d14378c2ba5
                                                                                                                                                                                                                                                      • Instruction ID: 9153908ef8ca04c2fadfb28eed40f739a094e53b2de806d7895a46ebf269c8da
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57148da49229c5613d9cf9274cfbbe57b8d7ba6eada466f0cdd71d14378c2ba5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B941B934A00205AFCF20DF69C88499E7BB5EF45318F14817AED146B392D739DE4ACB95
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00443993 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00443A0E,0044396D,00443C12), ref: 004439AA
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 004439C0
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 004439D5
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                                                                      • API String ID: 667068680-1718035505
                                                                                                                                                                                                                                                      • Opcode ID: c532214a6158a27615f08360e8be9af051b199e4dea61280a978f9068e893480
                                                                                                                                                                                                                                                      • Instruction ID: c78359f111a6f35dad3c9a42f753db500a74b32dc5cdf6317bfa4be23a6e3a59
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c532214a6158a27615f08360e8be9af051b199e4dea61280a978f9068e893480
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2F028717853136B7B205F640C4913B6AE8AA01F86328553FD842E3350E768CD0687CC
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004125FC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,004125F3,0040F627,00444215), ref: 0041260A
                                                                                                                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00412618
                                                                                                                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00412631
                                                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,004125F3,0040F627,00444215), ref: 00412683
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                                                                                                                      • Opcode ID: 84657931aa8f0f90d12da4b6e5aa70c41dfa0f3d02afc3dc9eda9dffc25bb732
                                                                                                                                                                                                                                                      • Instruction ID: db140d78b17e6f6e66dd2a36b3bda8239e78193f841ce1a027250fc0d2da2353
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84657931aa8f0f90d12da4b6e5aa70c41dfa0f3d02afc3dc9eda9dffc25bb732
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E01D43220D71A6EA7282A797D999EB2785EB0137DB24033FF418C11E1FF994C92524C
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00433273 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D0B23B53,?,?,00000000,004503EB,000000FF,?,00433203,?,?,004331DC,00000016), ref: 004332A8
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004332BA
                                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,004503EB,000000FF,?,00433203,?,?,004331DC,00000016), ref: 004332DC
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                      • Opcode ID: 1aaefccd221f1916aab06992d2eeb92eadcacf1b8617f3b321ea781b2e18cd9d
                                                                                                                                                                                                                                                      • Instruction ID: 9b8f6150d67d982b5b75479c336d5ef4dbb526b3ffc656aee6b0a5fc16ac56fb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1aaefccd221f1916aab06992d2eeb92eadcacf1b8617f3b321ea781b2e18cd9d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE01A731904A15ABDB119F50DC09FBFB7B8FB04B11F04492AFC12A26D0D7789D00CB54
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0017D343 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 0017D366
                                                                                                                                                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017D3B7
                                                                                                                                                                                                                                                      • TranslateMessage.USER32(?), ref: 0017D3CC
                                                                                                                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 0017D3D6
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 0017D3E4
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Message$Count64Tick$DispatchPeekTranslate
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2295797121-0
                                                                                                                                                                                                                                                      • Opcode ID: 6420c368d69c47a8baab201ee8f8b6a261a254a64b59f9ab94aabfb2ecfdaaa0
                                                                                                                                                                                                                                                      • Instruction ID: fd71d498c4a8f685382f086a4d788197e167524474afe0b76ab35cf8d2ba3dfa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6420c368d69c47a8baab201ee8f8b6a261a254a64b59f9ab94aabfb2ecfdaaa0
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4731A471E0020DABCB04CFA8ECC45EEBB79BF45350F148569E959E3281D3709D818B61
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 000CD0BD Relevance: 7.6, APIs: 5, Instructions: 82threadCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 000CD0D0
                                                                                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,00181004,?,00000000,?,?), ref: 000CD0E6
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00181004,?,00000000,?,?), ref: 000CD122
                                                                                                                                                                                                                                                      • QueryDepthSList.KERNEL32(?,?,?,?,?,?,00181004,?,00000000,?,?), ref: 000CD14D
                                                                                                                                                                                                                                                      • InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,?,00181004,?,00000000,?,?), ref: 000CD172
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CriticalListSection$CurrentDepthEnterEntryInterlockedLeavePushQueryThread
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 512591718-0
                                                                                                                                                                                                                                                      • Opcode ID: 503819a56020c9e54648729ce0effc44ce6a831248ae2dbfad0f299be32ad155
                                                                                                                                                                                                                                                      • Instruction ID: 5a0da652fa0607e4b1dbbf074ee542e1cf84470d21cf8e8f3956e6cad414da74
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 503819a56020c9e54648729ce0effc44ce6a831248ae2dbfad0f299be32ad155
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE21A176500700AFC730DF29D444ABAF7F8FB89320B148A6EE89683650D771BC45DBA4
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00168F13 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 00168F39
                                                                                                                                                                                                                                                      • WaitForMultipleObjectsEx.KERNEL32(00000001,00000004,00000000,?,00000001,00000001,00000004,00000000,00000004,00000001), ref: 00168F58
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 00168F76
                                                                                                                                                                                                                                                      • GetTickCount64.KERNEL32 ref: 00168FAF
                                                                                                                                                                                                                                                      • WaitForMultipleObjectsEx.KERNEL32(00000000,?,00000000,?,00000001), ref: 00168FC4
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Count64Tick$MultipleObjectsWait
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1069511965-0
                                                                                                                                                                                                                                                      • Opcode ID: 73089ff977fd7dbc2a58a03324d024660c9ab9b8e9d5f82a559c053bf4dbb7ff
                                                                                                                                                                                                                                                      • Instruction ID: 5b64475e2b4b23c5244e64907dc00f77a5ff40e5d9c2534bdfbf7e71bfbef9e4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73089ff977fd7dbc2a58a03324d024660c9ab9b8e9d5f82a559c053bf4dbb7ff
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC213135E00518EBDB14DFACDC846AEB7B6AF48320F258765ED24A7290DB709D518B50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040E31E Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(0068ABD4,000B8396,?,000B81E2,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000,004550E0), ref: 0040E328
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(0068ABD4,?,000B81E2,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000,004550E0,000000FF), ref: 0040E358
                                                                                                                                                                                                                                                      • WakeAllConditionVariable.KERNEL32(?,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000,004550E0,000000FF,?,000B8396), ref: 0040E3C9
                                                                                                                                                                                                                                                      • SetEvent.KERNEL32(?,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000,004550E0,000000FF,?,000B8396), ref: 0040E3D3
                                                                                                                                                                                                                                                      • ResetEvent.KERNEL32(?,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000,004550E0,000000FF,?,000B8396), ref: 0040E3DF
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3916383385-0
                                                                                                                                                                                                                                                      • Opcode ID: 5f285c3bc0f6cfa773a612c22bb9f2d48baf4009f9261b8a03f9f19157d31438
                                                                                                                                                                                                                                                      • Instruction ID: a20f858da84ccbdf4e6795eb9b2b948ae45939b0070018dfcfa4b43ca5b0a630
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f285c3bc0f6cfa773a612c22bb9f2d48baf4009f9261b8a03f9f19157d31438
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10016935500A20EBCB11EF58FC588A87BABEB49311705642BFD02933A1CB345C10DF8A
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040E3E7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • SleepConditionVariableCS.KERNEL32(?,0040E387,00000064,?,000B81A3,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF,00000000), ref: 0040E40A
                                                                                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(0068ABD4,00000000,?,0040E387,00000064,?,000B81A3,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF), ref: 0040E414
                                                                                                                                                                                                                                                      • WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,0040E387,00000064,?,000B81A3,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF), ref: 0040E425
                                                                                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(0068ABD4,?,0040E387,00000064,?,000B81A3,00699750,001C12DB,00000000,000B8216,D0B23B53,001C12DB,00000000,00000001,0044A9EF,0044A9EF), ref: 0040E42C
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3269011525-0
                                                                                                                                                                                                                                                      • Opcode ID: d1fa291c0342410d9613d19c3d1f61d2eebb17b5d187b62b185c502e9250588b
                                                                                                                                                                                                                                                      • Instruction ID: 814b88ebde2e5c8764c3f4b2996368daa2060057e30067b752e57d10256fe5f8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d1fa291c0342410d9613d19c3d1f61d2eebb17b5d187b62b185c502e9250588b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12E09231540924B7DB012BD1EC0CD9D3E1BEB09720B050936FE06726A0C7751C10EBDA
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00443A48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • VirtualQuery.KERNEL32(80000000,0044398D,0000001C,00443B82,00000000,?,?,?,?,?,?,?,0044398D,00000004,0068B810,00443C12), ref: 00443A59
                                                                                                                                                                                                                                                      • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0044398D,00000004,0068B810,00443C12), ref: 00443A74
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000003.00000002.3873639705.0000000000021000.00000020.00000001.01000000.00000010.sdmp, Offset: 00020000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3873507396.0000000000020000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875011921.0000000000489000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875461560.000000000065B000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875535770.000000000065F000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875603094.0000000000660000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875664115.0000000000661000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875721801.0000000000662000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875783941.0000000000663000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875851204.0000000000664000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875918428.0000000000669000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3875967456.000000000066A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876035830.000000000066B000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876125779.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876175251.000000000068E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000003.00000002.3876257986.000000000069B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_20000_officesetup.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: InfoQuerySystemVirtual
                                                                                                                                                                                                                                                      • String ID: D
                                                                                                                                                                                                                                                      • API String ID: 401686933-2746444292
                                                                                                                                                                                                                                                      • Opcode ID: 5e214f2380d363b2cd12dce8eb41dce384cb53975e98ba9238c2fb256033a569
                                                                                                                                                                                                                                                      • Instruction ID: 76553de04f6061ec01ccbcb47a1ddbd086e677fc4b4fc35c20976f37a35d1356
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e214f2380d363b2cd12dce8eb41dce384cb53975e98ba9238c2fb256033a569
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C01F733A401096BDB14DE29DC05BEE7BADAFC4325F0CC125AE99E7244E638DE06C784
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%